Hi there,
Question regarding the fail2ban’s filter ‘recidive’ 
Below is the default configuration
[recidive]
# recidivist.
#
# Noun: A convicted criminal who reoffends, especially repeatedly.
#
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log*
action = iptables-allports[name=recidive, protocol=all]
sendmail[name=recidive, dest=support@[domain.com, sender=notifications@domain.com]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 20
By looking for all fail2ban log files (/var/log/fail2ban.log*) it generates an issue. For example, IP 192.168.1.1 was banned for 2 days because of a bad REGISTER, but today the issue is fixed on the client’s end. Even we remove the IP from the banlist (System Admin > Intrusion Detection) the IP will be banned again by ‘recidive’ jail.
The solution is to remove all the old fail2ban logs or add the IP to the whitelist and wait a few days before removing it from the whitelist.
For the situations where the real bad requests keep coming in and we need to ban an IP for a longer period, okay I understand, but in my sample it’s a little bit overkills no?
Greets,
17 posts - 2 participants