Configuring fail2ban to drop silently

1 minute read

Cheat-sheet version:

apt install fail2ban
printf "[Init]\nblocktype = DROP" > /etc/fail2ban/action.d/iptables-blocktype.local
service fail2ban restart

Full post:

By default, fail2ban will send ICMP unreachable messages in response to any connections from hosts on its banned list. This was changed a number of years ago from the former default behavior of DROP.

If, like me, you prefer silent drops to the informative ICMP unreachable message, the behavior can be changed as follows:

  1. Create the file /etc/fail2ban/action.d/iptables-blocktype.local
  2. Enter the following code:
    [Init]
    blocktype = DROP
    
  3. Save the file and restart fail2ban.

This won’t deter a persistent connection attempt, but for simple automated attacks they are more likely to move on to another target when receiving no response than when receiving active replies. At a minimum, it will slow some tools that modify their rate limiting behavior between response/no response.

Realistically, all a live adversary needs to do is port scan from another IP to confirm that the host is alive, but for the script-kiddies and simple attacks it will help to remove the system from their radar.

Updated 2018.09.02 - With a better understanding of the risks of features such as fail2ban, I no longer recommend implementing it. The limited protection of shunning a source IP is outweighed by the risk of granting an adversary the ability to write arbitrary content to your system.

Updated: