Ban repeated offenders in Fail2ban: the recidive jail

a sledgehammer on a red and brown ground After a first episode on Fail2ban focused on Wordpress bruteforce attacks, I thought it would be a useful to go back to something more generic. Fail2ban is mainly used to stop SSH bruteforce attacks, or at least that's how I see it used, with the good old sshd jail. However, IP addresses are not banned for ever.

When the ban ends

An IP address gets banned for two reasons: either your fingers let you down, or you are trying to find your (unauthorized) way on a remote system. In the first reason, you just have to wait (or ask a friend or coworker to unban you) betwean a few minutes and a few hours, depending on the bantime setting.

If you are bruteforcer, when you get banned, it's basically useless to continue hammering your target. At least for the time you get banned. It's better to move on to another target. However it can pay off to come back later, and continue where you left things off. In the case of an SSH bruteforce attack, I mean "go on with the rest of the dictionary". And what happens next ? Either succeed, either you (most probably) get banned again. Rinse and repeat.

From the under attack system stand point, this means watching the same IP in the logfile generating failed authentication messages, and getting banned again. And over and over. So instead of your authentication log file, that's fail2ban log file that gets filled up.

What are our options ?

When that happens, the options are:

  1. Ban forever;
  2. Increase ban time;
  3. Use the recidive jail.

Option number 1 may be the most effective, yet the most dangerous if you are just clumsy (I include myself in the clumsy ones).

Option number 2 is less extreme, but it's tricky to find the sweet spot between too much comebacks from bruteforcers and too much time to wait if you get banned.

Let's explore option number 3: the recidive jail.

Enter the recidive jail

The recidive jail is nothing but another filter and jail configuration. What's make it special ? It monitors the Fail2ban log file, so there is only one jail to configure for recidive on all the other jails.

A simple recidive jail configuration would be :

[recidive]
enabled = true

Simple as that. By default, this jail has the following settings:

  • bans last one week;
  • looks for repeated offenders in the last one day.

A bit of warning, though: don't rename you jail, because the filter looks for it in order to avoid multiple counts of the same IP address. You can set up a different name and have the filter look for it, but in my opinion, this is adding useless complexity and looking for trouble.

Those two lines of configuration should ensure insisting bruteforcers stay away from your system.

I hope you enjoyed this post ! If you did, please share it on your favorite social networks :-)

Photo by Obi Onyeador on Unsplash.