Anyone running public-facing servers knows the constant barrage of unauthorized login attempts. My own experience mirrors what many administrators face - within minutes of setting up a new server with SSH enabled, the auth logs start filling with failed login attempts from around the globe.

While fail2ban effectively blocks individual IPs on each server, managing this across multiple hosts becomes cumbersome. Here are three practical approaches I've implemented:

# Method 1: Shared Database Backend
# Configure fail2ban to use a central database
[DEFAULT]
backend = auto
dbpurgeage = 86400

[Definition]
actionban = sqlite3 /path/to/shared/bans.db "INSERT INTO bans VALUES('', strftime('%s', 'now'))"

Several services aggregate malicious IP data:

• FireHOL's IP blocklists (updated hourly)
• AbuseIPDB's crowdsourced database
• Blocklist.de's fail2ban-focused lists

For those running multiple servers, this bash script syncs banned IPs hourly:

#!/bin/bash
# Sync fail2ban banned IPs between servers
MASTER_SERVER="admin.example.com"
LOCAL_JAILS=$(fail2ban-client status | grep "Jail list" | cut -f2)

for JAIL in ${LOCAL_JAILS//,/ }; do
  ssh root@${MASTER_SERVER} "fail2ban-client status ${JAIL}" | \
    grep "Banned IP list" | \
    cut -f2 | \
    xargs -I {} fail2ban-client set ${JAIL} banip {}
done

When sharing IP bans:

• Maintain a whitelist for legitimate IPs that might get caught
• Implement rate limiting to prevent overblocking
• Monitor for false positives that might affect legitimate users

After deploying fail2ban on my production servers, I quickly noticed a pattern - the same malicious IPs kept reappearing across different servers. The default isolated protection became inefficient when attackers simply shifted between my infrastructure endpoints.

fail2ban actually includes built-in sharing mechanisms we can leverage:

# In jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
# Share bans via iptables
action = iptables-allports[name=SSH, chain=INPUT]

For real-time synchronization across servers, Redis works exceptionally well:

# Install required packages
sudo apt-get install fail2ban redis-server

# Configure fail2ban to use Redis
cat >> /etc/fail2ban/jail.local << EOF
[DEFAULT]
banaction = iptables-redis
banaction_allports = iptables-redis-allports

[ssh]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 86400
action = %(banaction)s[name=SSH, port="ssh", protocol="tcp"]
EOF

Several services aggregate banned IPs:

• AbuseIPDB: Offers fail2ban integration via their API
• Blocklist.de: Provides pre-configured fail2ban actions
• FireHOL: Maintains updated IP blocklists

Here's a Python script that syncs banned IPs across servers:

import redis
import subprocess

r = redis.Redis(host='central-redis.example.com', port=6379)

def sync_bans():
    # Get current bans
    output = subprocess.check_output(['fail2ban-client', 'status', 'ssh'])
    banned_ips = parse_fail2ban_output(output)
    
    # Push to Redis
    for ip in banned_ips:
        r.sadd('global:banned_ips', ip)
    
    # Pull from Redis
    global_bans = r.smembers('global:banned_ips')
    for ip in global_bans:
        subprocess.call(['fail2ban-client', 'set', 'ssh', 'banip', ip])

def parse_fail2ban_output(output):
    # Implementation omitted for brevity
    return []

When implementing shared banning:

• Always validate IPs before banning
• Implement rate limiting on your sharing mechanism
• Maintain audit logs of all ban operations
• Consider false positives when using community lists

In my tests with 50+ servers sharing bans: