On Wed, Aug 15, 2018 at 09:29:58PM -0400, cyaiplexys wrote: > Is there a better way to do this? I have a cron job that gathers IP > addresses that get more than 1,000 hits from the apache log file and that > gets put in the ip.blacklist.perm file.
If (as the filename implies) you want to block these addresses permanently, then why are you using a tool designed to manage blocks dynamically (fail2ban)? Just use your preferred firewall management tool to add a rule to block them outside of fail2ban. For example, I manage my firewalls with ufw, so I would use 'ufw deny from $IP_ADDR'. It takes effect instantly, with no need to restart anything, and will be persistent across reboots. If you don't actually want them to be permanent, then you could instead create a fail2ban jail which detects IP addresses which have generated 1000 incoming requests to ports 80/443 within the last 60 minutes (or whatever timeframe your log analysis script looks at) and bans them for a week (or however long you like), without needing to wait for the log analysis script to run first. And you can also whitelist certain IPs in the jail config, if there are internal service monitoring machines or whatever which legitimately generate levels of traffic which would normally trigger a ban. -- Dave Sherohman