Modern brute force attackers have adapted to evade standard fail2ban configurations by carefully throttling their attempts to stay below detection thresholds. While fail2ban's automatic banning works well for obvious attacks, we sometimes need to manually intervene when we detect suspicious patterns that don't trigger the automatic rules.
Fail2ban provides several ways to manually ban IP addresses with custom durations:
Method 1: Using fail2ban-client
# Ban single IP for 24 hours
sudo fail2ban-client set sshd banip 192.168.1.100 --ban-time 86400
# Ban IP range
sudo fail2ban-client set sshd banip 192.168.1.0/24 --ban-time 604800Method 2: Direct Jail Manipulation
# First find your jail name
sudo fail2ban-client status
# Then add to ban list with expiration
sudo fail2ban-client set [jailname] banip --ip [ip_address] --time [seconds]For IPs that should never be allowed, add them to /etc/hosts.deny:
# Edit hosts.deny
sudo nano /etc/hosts.deny
# Add entry (example)
sshd: 45.33.12.8Combine manual bans with monitoring tools to catch slow attacks:
#!/bin/bash
# Monitor auth.log for slow brute force
tail -f /var/log/auth.log | awk '
/Failed password/ {
ip = $11;
count[ip]++;
if (count[ip] >= 3) {
system("sudo fail2ban-client set sshd banip " ip " --ban-time 86400");
print "Banned " ip " for 24 hours";
delete count[ip];
}
}'Check currently banned IPs with:
sudo fail2ban-client get sshd bannedOr check iptables directly:
sudo iptables -L -n- Always verify IPs before banning - attackers sometimes spoof legitimate addresses
- Consider using fail2ban's recidive jail for repeat offenders
- Monitor your ban list to avoid blocking legitimate users
- Document manual bans for future reference
While fail2ban's automated detection works well for basic brute force attacks, sophisticated attackers now employ timing tricks to evade detection. They deliberately slow down their attempts to stay below fail2ban's default threshold. In such cases, manual intervention becomes necessary when you've identified malicious IPs through other monitoring methods.
The most straightforward way to manually ban an IP is using fail2ban-client:
sudo fail2ban-client set [jail-name] banip [IP-address]
For example, to ban 192.168.1.100 in the sshd jail:
sudo fail2ban-client set sshd banip 192.168.1.100
To specify a custom ban time (e.g., 24 hours), you'll need to modify the jail configuration:
sudo nano /etc/fail2ban/jail.local
Add or modify these parameters for your jail:
[sshd]
bantime = 86400 # 24 hours in seconds
findtime = 600 # 10 minutes
maxretry = 3 # Allowed attempts
For bans to survive fail2ban service restarts, create a persistent ban file:
sudo nano /etc/fail2ban/jail.d/persistent.conf
Add this content:
[DEFAULT]
persistent = true
ignoreip = 127.0.0.1/8 ::1 # Always exclude localhost
To ban an entire subnet (e.g., 192.168.1.0/24):
sudo fail2ban-client set sshd banip 192.168.1.0/24
Check currently banned IPs:
sudo fail2ban-client status sshd
Unban an IP manually:
sudo fail2ban-client set sshd unbanip 192.168.1.100
For frequent manual bans, create a script (/usr/local/bin/f2b-manual-ban):
#!/bin/bash
JAIL=$1
IP=$2
HOURS=$3
# Convert hours to seconds
BANTIME=$((HOURS * 3600))
# Temporarily modify bantime
sudo fail2ban-client set $JAIL bantime $BANTIME
# Ban the IP
sudo fail2ban-client set $JAIL banip $IP
# Reset to default bantime
sudo fail2ban-client set $JAIL bantime 86400
Usage example (ban for 72 hours):
sudo f2b-manual-ban sshd 203.0.113.45 72
Check fail2ban logs to verify your manual bans are working:
sudo tail -f /var/log/fail2ban.log | grep "NOTICE.*Ban"