3

Fail2ban 0.9 introduce database storage to save bans on restart. But I can't find out the actual mechanism of it work.

There is dbpurgeage parameter which controls lifetime of old bans, defaults to 24 hours. As I see from code research, fail2ban saves a ban to the db with timeofban equals to the moment of ban being saved. Then every dbpurgeage period it removes all bans with timeofban < MyTime.time() - self._purgeAge, in other words removes all bans have been stored more than 24 hours ago.

But what if an IP was banned for the month? Does all this mean that with dbpurgeage = 86400 after restart in 24 hours I will lost all bans longer than 24 hours?

I just want that all my permanent bans will be preserved in any case.

1 Answers1

3

Netfilter rules are not persistent across reboots, so Fail2ban 0.9 records bans in its database and reinstates them when it starts; however, it only remembers each ban for dbpurgeage seconds. If you reboot your system more than dbpurgeage seconds after a particular ban is put in place, that ban will not be restored.

This behavior is independent of bans’ lengths. It doesn’t matter if you have a month-long ban in place if Fail2ban doesn’t remember to restore it. This isn’t a problem if your system doesn’t reboot for the duration of the ban, but if you want to be absolutely sure that you don’t lose it due to a restart, you’ll have to increase dbpurgeage. I’m not sure if there’s an easy way to disable purging altogether.

Lawrence Velázquez
  • 131
  • 3