One common problem of fail2ban setups is that
many bots seem to have adapted to the ban behavior: they detect being
banned, start probing periodically to learn the banTime and then
simply integrate that into their attack scheme.
A simple solution is to choose a high value (or infinite) for banTime,
but that has the disadvantage of permanently banning regular users who
just forgot their password, which unnecessarily generates support
requests.
A different solution without this downside is a second-level approach:
why not monitor /var/log/fail2ban.log for banned hosts and permanently
ban them after some number of recidives?
Of course we do this with fail2ban itself, here's the configuration:
# /etc/fail2ban/filter.d/fail2ban.conf
[Definition]
failregex = fail2ban.actions: WARNING \[.*\] Ban
ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban
and
# /etc/fail2ban/action.d/permaban.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = iptables -I banned 1 -s -j DROP
actionunban = /bin/true
[Init]
(Important point is to choose a different iptables chain than the one used for regular (i.e. temporary) bans!)
# /etc/fail2ban/jail.conf
(...)
[fail2ban]
enabled = true
findtime = 86400
filter = fail2ban
action = permaban
mail[logpath=/var/log/fail2ban.log]
logpath = /var/log/fail2ban.log
maxretry = 2
Still testing it, but looks promising :)