Fail2ban whitelist

From LUG
Revision as of 15:31, 14 January 2021 by Haars001 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


We use fail2ban to block IP addresses that try to log in to SSH servers.

This works by blocking IP addresses from which too many failed attempts originate.

This works nicely, but the side effect is that if true users use the wrong credentials a couple of times (FileZilla retries failed logins), they are also blocked.

This leads to administrative load, as these users will then have to ask an administrator of the service to unblock their IP.

So the idea is to automatically whitelist IP addresses from which a successful login has occurred,


  • People are no longer blocked if they use the wrong credentials a couple of times
  • This leads to lower administrator load


  • An extra set of configuration files has to be maintained on the servers
  • There is a possibility that a bad actor uses this setup to whitelist an IP address, and uses that as a starting point of an attack. (This seems unlikely, someone with access to a good set of credentials has better ways to bruteforce account information.)


To enable the automated whitelisting, we need 3 extra files (a filter, an action, and a config to enable both):



before = common.conf


_daemon = sshd


failregex  = ^%(__prefix_line)s\s*Accepted (publickey|password) for \S+ from <HOST>

mode = normal

ignoreregex =

maxlines = 1

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

datepattern = {^LN-BEG}

/etc/fail2ban/action.d/ignoreip.conf :


actionstart =

actionstop  =

actioncheck = fail2ban-client status <name>

actionban   = fail2ban-client set <name> addignoreip <ip>

actionunban = fail2ban-client set <name> delignoreip <ip>


name  = default

chain = INPUT

/etc/fail2ban/jail.local :


ignoreself = true
ignoreip =

bantime  = 24 hours
findtime  = 12 hours
maxretry = 3
backend = auto


enabled = true
port    = ssh
logpath = %(sshd_log)s


enabled  = true
port     = ssh
logpath  = %(sshd_log)s
filter   = sshd-whitelist
action   = ignoreip[name=sshd]

# If you have multiple jails to add IPs to the ignorelist, use this:
# action    = ignoreip[actname=sshd_invalid,name=sshd_invalid]
#             ignoreip[actname=wur_sshd,name=wur_sshd]

maxretry = 1
bantime  = 1 month