Re: Fail2Ban Question: Can I do this without restarting the service?
On Wed, Aug 15, 2018 at 09:29:58PM -0400, cyaiplexys wrote:
> Is there a better way to do this? I have a cron job that gathers IP
> addresses that get more than 1,000 hits from the apache log file and that
> gets put in the ip.blacklist.perm file.
If (as the filename implies) you want to block these addresses
permanently, then why are you using a tool designed to manage blocks
dynamically (fail2ban)? Just use your preferred firewall management
tool to add a rule to block them outside of fail2ban.
For example, I manage my firewalls with ufw, so I would use 'ufw deny
from $IP_ADDR'. It takes effect instantly, with no need to restart
anything, and will be persistent across reboots.
If you don't actually want them to be permanent, then you could instead
create a fail2ban jail which detects IP addresses which have generated
1000 incoming requests to ports 80/443 within the last 60 minutes (or
whatever timeframe your log analysis script looks at) and bans them for
a week (or however long you like), without needing to wait for the log
analysis script to run first. And you can also whitelist certain IPs in
the jail config, if there are internal service monitoring machines or
whatever which legitimately generate levels of traffic which would
normally trigger a ban.