New firewall chain called "RECIDIVE"

Community Support
1

After upgrade, my recidive filter still is using HESTIA action:

[recidive]
enabled = true
filter = recidive
action = hestia[name=HESTIA]

Is this ok or it would to use new firewall chain called “RECIDIVE”? Is this chain created yet?

2

Will RECIDIVE chain be added to the next HestiaCP update or is it better to do it manually?

3

Of course it will be added :slight_smile:, there is already a pull request which just needs review and testing.

1 Like
4

RECIDIVE works just fine but can I see what chain exactly is banned (MAIL,WEB,SSH…)? Is it possible to upgrade CP so it shows like “WEB(recidive)” for ex?
I ask it because last months I have ~20-30 ip’s of same CIDR and I add to ban list like 5.0.0.0/8 but what chain\rule shall I use for it if there is only RECIDIVE?!

image
image1137×232 7.59 KB

5

In Fail2Ban, the recidive jail is designed to catch IPs that are repeatedly getting banned by other jails. Essentially, recidive is like a “meta-jail,” meant to enforce long-term bans for repeat offenders.

Understanding which original jail (e.g., SSH, MAIL, WEB) led to an IP being banned by recidive could require some log diving.

  1. Check Fail2Ban Logs: Look through the Fail2Ban logs to see when and why a particular IP was banned initially. The logs usually reside in /var/log/fail2ban.log.
grep <IP_ADDRESS> /var/log/fail2ban.log
  1. Use fail2ban-client: You can use fail2ban-client status to get a list of all active jails. For each jail, you can run fail2ban-client status <JAIL_NAME> to see which IPs are currently banned by that specific jail.
  2. Custom Logging: You can customize your Fail2Ban configuration to create more detailed logs that make it easier to track the path from the initial jail to recidive.
  3. Chain in iptables: You can also manually inspect the iptables (or whatever firewall you are using) to see in which chain the IP is banned.

If you want a more dynamic way to trace back the chain leading to a recidive ban, you might consider scripting a solution. A custom script could analyze the Fail2Ban log to detect whenever an IP gets banned by recidive, then backtrack through the log to identify the original jail that triggered the ban.

If you’re familiar with Python, you could use Python’s logging module to insert additional information into the logs, such as adding “WEB(recidive)”. Then, your script could parse these enriched log entries to produce a summary.