One common problem of fail2ban setups is that many bots seem to have adapted to the ban behavior: they detect being banned, start probing periodically to learn the banTime and then simply integrate that into their attack scheme.

A simple solution is to choose a high value (or infinite) for banTime, but that has the disadvantage of permanently banning regular users who just forgot their password, which unnecessarily generates support requests.

A different solution without this downside is a second-level approach: why not monitor /var/log/fail2ban.log for banned hosts and permanently ban them after some number of recidives?

Of course we do this with fail2ban itself, here's the configuration:

# /etc/fail2ban/filter.d/fail2ban.conf

failregex   = fail2ban.actions: WARNING \[.*\] Ban
ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban


# /etc/fail2ban/action.d/permaban.conf

actionstart =
actionstop =
actioncheck =

actionban   = iptables -I banned 1 -s  -j DROP
actionunban = /bin/true


(Important point is to choose a different iptables chain than the one used for regular (i.e. temporary) bans!)

# /etc/fail2ban/jail.conf


enabled  = true
findtime = 86400
filter   = fail2ban
action   = permaban
logpath  = /var/log/fail2ban.log
maxretry = 2

Still testing it, but looks promising :)