I use an ipset with Shorewall to ban IP addresses. My setup uses the 'timeout' option of ipset. Also, there is no unban/ban overhead upon restarting fail2ban.
/etc/shorewall/init (note 'timeout' is the default in seconds): ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400 /etc/shorewall/rules: ?SECTION NEW ?COMMENT flagged by fail2ban DROP net:+fail2ban-IPv4-ip[src] fw /etc/fail2ban/action.d/my_ipset_ip.conf: [INCLUDES] before = iptables-blocktype.conf [Definition] actioncheck = actionstart = actionstop = actionban = ipset add fail2ban-<name> <ip> timeout <my_timeout> -exist #actionunban = ipset del fail2ban-<name> <ip> -exist actionunban = [Init] name = IPv4-ip my_timeout = 3600 Note the actionunban is empty. I rely on the ipset timeout to expire to unban. /etc/fail2ban/jail.local: [sshd] #enabled = false enabled = true action = my_ipset_ip[my_timeout=86400] logpath = %(sshd_log)s maxretry = 3 findtime = 7200 bantime = 60 Because the actionunban is empty, I can use a 60 second 'bantime' and upon restart fail2ban doesn't try to re-ban the IP addresses but the addresses are still dropped until the 'timeout' expires. Bill
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
