How to Efficiently Whitelist Large CDN IP Ranges in Fail2Ban’s jail.local Configuration


2 views

When working with CDN providers like Cloudflare, Fastly, or Akamai, you'll often receive extensive IP ranges that need whitelisting in Fail2Ban. The standard ignoreip directive in jail.local expects space-separated values, which becomes problematic with large lists.

Instead of manual editing, use command-line tools to transform the list. For a file named cdn_ips.txt with one IP per line:

# Convert line breaks to spaces and append to jail.local
tr '\n' ' ' < cdn_ips.txt | xargs -I {} sed -i "s|^ignoreip = .*|& {}|" /etc/fail2ban/jail.local

Fail2Ban supports file inclusion since v0.10. Create a separate file (e.g., /etc/fail2ban/jail.d/cdn-whitelist.conf):

[DEFAULT]
ignoreip = ::1 127.0.0.1/8
        192.168.1.0/24
        # Include CDN IPs from external file
        $(cat /etc/fail2ban/cdn-ips.conf)

Convert individual IPs to CIDR blocks when possible. Example using iprange tool:

# Install iprange if needed
sudo apt-get install iprange

# Convert individual IPs to optimal CIDR ranges
iprange --minimize cdn_ips.txt > cdn_ranges.txt

After making changes, always verify your configuration:

fail2ban-client --test
systemctl restart fail2ban
fail2ban-client status your-jail-name

Recommended practices:
- Maintain version control for configuration files
- Document all whitelisted ranges with comments
- Regularly update CDN IP lists (consider automation)
- Test new configurations in a staging environment

For recurring updates, create a maintenance script:

#!/bin/bash
CDN_URL="https://www.cloudflare.com/ips-v4"
CONF_FILE="/etc/fail2ban/jail.d/cdn-whitelist.conf"

wget -O cdn_ips.txt $CDN_URL
echo "[DEFAULT]" > $CONF_FILE
echo "ignoreip = $(tr '\n' ' ' < cdn_ips.txt)" >> $CONF_FILE
systemctl reload fail2ban

When working with Fail2Ban, particularly with CDN providers that supply extensive IP whitelists, the standard ignoreip configuration in jail.local becomes cumbersome. The requirement to specify IPs in a single line with space separation poses two main problems:

  • The line length becomes unwieldy and potentially error-prone
  • Maintenance and readability suffer as the list grows

The most maintainable approach is to create a separate file containing your IP whitelist and reference it in your jail.local configuration:

# Step 1: Create a whitelist file
sudo nano /etc/fail2ban/ip-whitelist.conf

# Add your IPs (one per line or space-separated)
# Example content:
123.45.67.89
234.56.78.90
# ... (all your CDN IPs)

Edit your jail.local file to include this whitelist:

[DEFAULT]
ignoreip = /etc/fail2ban/ip-whitelist.conf
        192.168.1.100 # You can still add individual IPs here

Bash One-liner for Space Separation

If you prefer keeping IPs in ignoreip directly:

# Convert line-separated IPs to space-separated
IPS=$(tr '\n' ' ' < cdn-ip-list.txt | sed 's/ $//')
sudo sed -i "s/^ignoreip =.*/ignoreip = ${IPS}/" /etc/fail2ban/jail.local

Python Script for Dynamic Updates

For automated updates from your CDN provider:

#!/usr/bin/env python3
import requests
import subprocess

CDN_IP_URL = "https://your-cdn-provider.com/ip-list"
WHITELIST_FILE = "/etc/fail2ban/ip-whitelist.conf"

# Fetch latest IPs
response = requests.get(CDN_IP_URL)
ips = '\n'.join([ip.strip() for ip in response.text.splitlines() if ip.strip()])

# Update whitelist file
with open(WHITELIST_FILE, 'w') as f:
    f.write(ips)

# Reload fail2ban
subprocess.run(['systemctl', 'reload', 'fail2ban'])
  • Regularly update your whitelist (consider cron jobs for automation)
  • Test configuration changes with fail2ban-client reload before full restarts
  • Monitor logs (journalctl -u fail2ban -f) for any whitelist-related issues