Fail2ban Add more than one custom ignoreip list

I want to add custom list of ignoreip (eg. Cloudflare IPs) - but I don't want it looks mess in /etc/fail2ban/jail.local, like this

[email protected]# cat /etc/fail2ban/jail.local

[DEFAULT]
bantime = 86400
findtime = 600
maxretry = 3
ignoreip = 173.245.48.0/20 03.21.244.0/22 03.22.200.0/22 03.31.4.0/22 41.101.64.0/18 08.162.192.0/18 90.93.240.0/20 88.114.96.0/20 97.234.240.0/22 98.41.128.0/17 62.158.0.0/15 04.16.0.0/13 04.24.0.0/14 72.64.0.0/13 31.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32 127.0.0.1/32
. . .

I want to store the Cloudflare IPs into a seperated file, and include it into jail.local.

First, add one seperated file contain Cloudflare Whitelist IPs, notice the field [cloudflare_whitelist_ips], we will reuse it in jail.local

[email protected]# cat /etc/fail2ban/cloudflare_whitelist_ips.local

[cloudflare_whitelist_ips]
ignoreip = 173.245.48.0/20 03.21.244.0/22 03.22.200.0/22 03.31.4.0/22 41.101.64.0/18 08.162.192.0/18 90.93.240.0/20 88.114.96.0/20 97.234.240.0/22 98.41.128.0/17 62.158.0.0/15 04.16.0.0/13 04.24.0.0/14 72.64.0.0/13 31.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32

Update your /etc/fail2ban/jail.local to include cloudflare_whitelist_ips.local

[email protected]# cat :/etc/fail2ban/jail.local

[INCLUDES]
before = cloudflare_whitelist_ips.local

[DEFAULT]
bantime = 86400
findtime = 600
maxretry = 3
ignoreip = %(cloudflare_whitelist_ips/ignoreip)s 127.0.0.1/32

Notice the %(cloudflare_whitelist_ips/ignoreip)s - it is supported by Fail2ban within Python's String Formatting Operations

Testing:

fail2ban-client -d

fail2ban-client --dp

fail2ban-client -t

Apply:

fail2ban-client reload
  • /var/www/html/lntn203/wiki/data/pages/linux/fail2ban/fail2ban-adding-more-custom-ignoreip-list.txt
  • Last modified: 5 months ago
  • by nghiale@infotechviet.com