From 3f5c47695e90f38bcdee5eb8974233776c234b4c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 7 Jun 2020 12:37:45 -0700 Subject: [PATCH] Expand fail2ban documenation in the blacklisting article Signed-off-by: Tom Eastep --- docs/blacklisting_support.xml | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 1197736d1..9f4b1ce23 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -298,7 +298,7 @@ DROP net:200.55.14.18 all details. -
+
BLACKLIST and Fail2ban The BLACKLIST command can be used as 'blocktype' in @@ -335,5 +335,31 @@ DROP net:200.55.14.18 all comand. + + There are a couple of additional things to note: + + + + The documentation in /etc/fail2ban/action.d/shorewall.conf + states that you should set BLACKLIST=All. A better approach when using + BLACKLIST as the 'blocktype' is to specify the disconnect option in the setting of + DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the + firewall from the net must be checked against the dynamic-blacklisting + ipset. That is not required when you specify disconnect. + + + + The noupdate option allows + fail2ban full control when a host is 'unbanned'. The cost of using + this option is that after the specified timeout, the entry for an attacking host will + be removed from the dynamic-blacklisting ipset, even if the host has + continued the attack while blacklisted. This isn't a great concern, as + the first attempt to access an unauthorized service will result in the + host being re-blacklisted. + +