Great, I'm glad its working for you. I forgot to mention the added benefits of manipulating the ipset outside of Shorewall and fail2ban: query: ipset list fail2ban-IPv4-ip | grep 218.27.162.22 ban: ipset add fail2ban-IPv4-ip 218.27.162.22 unban: ipset del fail2ban-IPv4-ip 218.27.162.22
If you install the rpmfusion xtables-addons and Maxmind's free GeoIP tables, you can limit what countries can access the SSH port. /etc/shoreall/rules (after the fail2ban DROP): ACCEPT net:^[US] fw tcp ssh DROP net fw tcp ssh This only allows SSH from the United States. Bill On 5/28/2019 3:52 AM, Steven Barthen via Fail2ban-users wrote:
Hello Bill I changed and tested your solution and it works very well! Thanks a lot for that, it solved all my issues! Cheers Am Di., 28. Mai 2019 um 01:37 Uhr schrieb Bill Shirley <bshir...@openmri-scottsboro.com <mailto:bshir...@openmri-scottsboro.com>>: I use an ipset with Shorewall to ban IP addresses. My setup uses the 'timeout' option of ipset. Also, there is no unban/ban overhead upon restarting fail2ban. /etc/shorewall/init (note 'timeout' is the default in seconds): ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400 /etc/shorewall/rules: ?SECTION NEW ?COMMENT flagged by fail2ban DROP net:+fail2ban-IPv4-ip[src] fw /etc/fail2ban/action.d/my_ipset_ip.conf: [INCLUDES] before = iptables-blocktype.conf [Definition] actioncheck = actionstart = actionstop = actionban = ipset add fail2ban-<name> <ip> timeout <my_timeout> -exist #actionunban = ipset del fail2ban-<name> <ip> -exist actionunban = [Init] name = IPv4-ip my_timeout = 3600 Note the actionunban is empty. I rely on the ipset timeout to expire to unban. /etc/fail2ban/jail.local: [sshd] #enabled = false enabled = true action = my_ipset_ip[my_timeout=86400] logpath = %(sshd_log)s maxretry = 3 findtime = 7200 bantime = 60 Because the actionunban is empty, I can use a 60 second 'bantime' and upon restart fail2ban doesn't try to re-ban the IP addresses but the addresses are still dropped until the 'timeout' expires. Bill _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net <mailto:Fail2ban-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users