Fail2Ban Disable/add ignore IP Rule Suggestion

rip057 · April 23, 2019, 7:56am

Just what it says I suggest that there is included a

Fail2Ban ignore up Rule added as I literally just beat my head against the wall for about an hour until I realized why certbot was failing over and over…

Sorry I realize Fail2Ban usage is my burden to bear, I’m just slowly loosing it with all the great devs out there creating a script kiddie army with the collective “your corporate devs don’t care so here fly the zero days” and the new guy who decided that even though for five years the format was this, we need to change it cause I’m just that much more descendant of God and know how it should be…

Forgive me, you know you get it, sorry I vented XD

jsha · April 23, 2019, 7:58am

Hi! I’m not sure exactly what you’re suggesting?

rip057 · April 23, 2019, 9:41am

what im suggesting is something, again this seems easy to me, but i dont know, and atm im trying to finish my web development, and i am the lone gunman, but an easy to include option could be something in the script, AGAIN NOT python, Im just giving example in bash

[root@chemlab /]# fail2ban-client status
Status
|- Number of jail:	4
`- Jail list:	catchall, myadmin, errorlog, postfix
[root@chemlab /]# fail2ban-client status | grep "Jail list" |sed 's/^.*Jail list:\ *//g' | grep -o "[^,]*" | sed 's/^.*$/fail2ban-client set & addignoreip TESTINGIP/g'
fail2ban-client set 	catchall addignoreip TESTINGIP
fail2ban-client set  myadmin addignoreip TESTINGIP
fail2ban-client set  errorlog addignoreip TESTINGIP
fail2ban-client set  postfix addignoreip TESTINGIP
[root@chemlab /]# fail2ban-client status | grep "Jail list" |sed 's/^.*Jail list:\ *//g' | grep -o "[^,]*" | sed 's/^.*$/fail2ban-client set & delignoreip TESTINGIP/g'
fail2ban-client set 	catchall delignoreip TESTINGIP
fail2ban-client set  myadmin delignoreip TESTINGIP
fail2ban-client set  errorlog delignoreip TESTINGIP
fail2ban-client set  postfix delignoreip TESTINGIP

then again it could be as simple as

systemctl stop fail2ban.service
execute verifications
systemctl start fail2ban.service

I am the lone gunman so after beating my head into the wall i thought oh thats it… but if there are two or three different teams, or hired people or wtfe then one will possibly miss the other, and my fail2ban rules probably got triggered in a configuration jumble just like most have when dealing with certbot issues…

idk it was a suggestion, I am already going to have to write some automation for the certbot as i get certificates for my mail server, and for local only servers that obviously i need outwards facing for the verification, so i will be fine from now on

fwiw the thing that flipped my fail2ban ruleset was that i had
Header always set Strict-Transport-Security enabled in a .htaccess file which again is the multiple teams possible thing and i believe that headers forces https no matter what, and the certbot i think had an issue with that idk…

im good now, but the fail2ban was just a suggestion, cause if the ips get banned then it will never verify

rip057 · April 23, 2019, 10:03am

I just noticed the title was autocorrected to up, i meant IP

system · May 23, 2019, 10:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.