Strange behavior with fail2ban when permanently banning IPs

J D asked:

As per documentation, setting jail bantime to a negative value should result in a permanent ban. However once that is done, the following behavior changes, compared to when setting bantime to a positive integer:

1) ipset list doesn’t show fail2ban-sshd hash table

2) firewall-cmd --direct --get-all-rules is empty

3) /var/log/fail2ban.log becomes a single line. interesting entry

sshd[25772]: Invalid user ubuntu from 93.174.89.88 port 37477′, ‘ip’:
‘93.174.89.88’, ‘ipmatches’: at 0x7f4588f9dc08>,
‘ipfailures’: at 0x7f4588f9daa0>, ‘time’:
1536301842.088076, ‘failures’: 1443, ‘ipjailfailures’: at 0x7f4588f9dd70>})’: Error banning 93.174.89.88

4) /var/log/messages has the following

firewalld[916]: WARNING: ‘/usr/sbin/iptables-restore –wait=2 -n’
failed: iptables-restore v1.4.21: Set fail2ban-sshd doesn’t
exist.#012#012Error occurred at line: 2#012Try ‘iptables-restore -h’
or ‘iptables-restore –help’ for more information. firewalld[916]:
ERROR: COMMAND_FAILED

The only command working as expected is fail2ban-client status sshd, however the IPs that are shown to be banned still try to connect. I think the root of all problems is that ipset isn’t created for whatever reason once the integer is negative.

Any ideas? Also, does the command fail2ban-client reload has the same affect as systemctl restart fail2ban.service when applying new configuration?

In my case, /etc/fail2ban/jail.d/local.conf

[sshd]
enabled = true
bantime = -1
findtime = 3600
maxretry = 5
action = %(action_)s

My answer:


This was a bug in older versions of fail2ban. It has since been fixed, but if your Linux distribution still ships that older version, you may also need a workaround.

The GitHub issue which explains the problem and fix also includes a workaround:

This is fixed in newer versions. For 0.9 you can simply overwrite bantime (timeout) parameter in action inside the jail (parameter timeout for ipset persistent rule is 0).

[sshd]
bantime = -1
action = %(banaction)s[name=%(__name__)s, bantime=0, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.