User Tools

Site Tools



This is an old revision of the document!

Blacklist IP's from a file

fail2ban is designed to dynamically watch logs and ban/unban IP's with bad reputations. However, with a little sneakiness, it can be abused to also load a list of permenantly banned IP addresses.

First, we need to create an action, a file to be placed in action.d. I named it blacklistip.conf, and the name is important when you define the jail it goes in, ie action = blacklistip means look in action.d for a file names blacklistip.conf and load it as the action.

# action file to allow loading of IP's from a text file to be blocked
# along with fail2ban.
# The file contains one IP or subnet per line, and may be placed
# anywhere on the system.
# This is a perversion of fail2ban's basic purpose, which is to dynamically
# add/remove IP's from IPTables, but it allows us to permenantly ban
# some really, really bad people
# example of file
# NOTE: I did not set it up to ignore comments, so you can't put comments
# into the file.
# Works on fail2ban v9
before = iptables-common.conf
# what to do when fail2ban starts
# taken directly from the multiport ban script, with the last line
# inserted to load the IP file
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -j f2b-<name>
              cat <filename> | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done
# these actions are taken when fail2ban is shut down
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>
actioncheck = 
actionban = 
actionunban = 


# dummy filter file for blacklistip jail. Expect a warning that failregex is
# not defined, or, if you uncomment failregex, expect a warning that there
# is no <Host> entry in it
# Since this is a static read, we don't actually parse any logs
#failregex = ''

Finally, add the following block to jail.local

enabled = true
action = blacklistip[name=blacklistip,filename='/etc/fail2ban/ip.blacklist']
software/fail2ban/blacklist.1565678698.txt.gz · Last modified: 2019/08/13 01:44 by rodolico