IP blocker (apparent) failure

Bans are temporary, indeed every time you restart iptables, fail2ban or your entire server, those rules dissapear, the strange thing is that the manually added entries in banlist.conf remain, that file must be emptied every time fail2ban restarts.

If you want to make permanent rules, you could add them directly to the firewall rules, not using v-add-firewall-ban but v-add-firewall-rule

To do this, instead of adding every rule one by one, it is tedious and if there are a lot of rules it will affect the server’s performance so the recommended way is to add an ipset containing all the ips/networks you want to block.


We will create an ipset named permaban, to do so, first we will create the dir and the file containing the list of networks and ips.

mkdir -p /var/lib/permaban/bin/

To save all the current ips you have manually added to banlist.conf, we will parse the file and will extract the ips and networks and will save them to the new ipset file that we will use.

awk -F "'" '{/IP=/} {print $2}' /usr/local/hestia/data/firewall/banlist.conf | awk '!a[$0]++' > /var/lib/permaban/permaban.list

Empty banlist.conf file

:> /usr/local/hestia/data/firewall/banlist.conf

Add the ipset named permaban and create a rule to DROP all ips/networks listed on that ipset.

v-add-firewall-ipset permaban "file:/var/lib/permaban/permaban.list" v4 yes
v-add-firewall-rule DROP ipset:permaban 0 TCP "PERMABAN"

And thats all, from now on, all the ips listed on /var/lib/permaban/permaban.list will be blocked. Hestia will read and update the list every 24 hours but if you want to add ips/networks easily and update the firewall immediately, I’ve created a script to do so.

The script will check the ips/netwroks, will remove duplicated ones, update iptables ipset, etc.

Create the script file named permaban.sh and also a symlink in /usr/local/bin/ named permaban

touch /var/lib/permaban/bin/permaban.sh && chmod +x /var/lib/permaban/bin/permaban.sh
ln -s /var/lib/permaban/bin/permaban.sh /usr/local/bin/permaban

Now edit file /var/lib/permaban/bin/permaban.sh an add this script:

#!/usr/bin/env bash
source /etc/hestiacp/hestia.conf

if [[ -z $ip ]]; then
        echo "Error: you must add at least one ip or ip/mask in CIDR format"
        echo "Usage:"
        echo "       permaban"
        echo "       permaban"
        echo "       permaban"
        echo "       permaban"
        exit 1

if ! "$BIN"/v-list-firewall-ipset plain | grep -Eq "^$ipset"; then
        echo "Error: ipset $ipset doesn't exist"
        exit 1
        if ! "$BIN"/v-list-firewall-ipset plain | grep -Eq "^$ipset.*file:"; then
                echo "Error: ipset $ipset is not using a file to load the ips"
                exit 1

for i in "$@"; do
        if ! grep -Pq '^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)($|/([123][0-9]))$' <<<"$i"; then
                echo "Warning: $i is not a valid ip/network so I don't include it"

if [[ -z $list ]]; then
        echo "There isn't ips/networks to add to ipset $ipset"

ipset_file="$("$BIN"/v-list-firewall-ipset plain | grep "^$ipset" | awk '{print $5}' | sed 's/^file://')"

ipset_dir="$(dirname "$ipset_file")"
if [[ ! -d "$ipset_dir" ]]; then
        echo "Error: dir $ipset_dir doesn't exist"
        exit 1

echo "Adding list of ips/networks to ${ipset_file}"
echo -e "$list" | tee -a "$ipset_file"

awk -i inplace -v INPLACE_SUFFIX=.bak '!a[$0]++' "$ipset_file"
sort -Vu "$ipset_file" -o "$ipset_file"
sed -i '/^$/d' "$ipset_file"

size="$(wc -l <"$ipset_file")"
min_size="$(awk -F '=' '/^IPSET_MINi_SIZE=/ {print $2}' "$BIN"/v-add-firewall-ipset)"
if ! grep -q -E '^[0-9]{1,}$' <<<"$min_size"; then
if [[ $size -le $min_size ]]; then
        echo "Error: the minimum number of allowed ips/networks is $min_size and you are using $size"
        exit 1

echo -n "Adding ips/networks to ipset and updating iptables..."
if "$BIN"/v-update-firewall-ipset yes | grep -i error; then
        exit 1
echo " OK"
echo "# Added $(date +'%Y-%m-%d %T')" >>"$ipset_log"
echo -e "$list" >>"$ipset_log"

Once saved, you can add more ips/networks to the ipset permaban.

Example, trying to add ips and networks, also invalid ips and networks.

$ permaban whatever 1.332.3.46
Warning: whatever is not a valid ip/network so I don't include it
Warning: 1.332.3.46 is not a valid ip/network so I don't include it
Warning: is not a valid ip/network so I don't include it

Adding list of ips/networks to /var/lib/permaban/permaban.list

Adding ips/networks to ipset and updating iptables... OK

I hope it helps.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.