apt install fail2ban printf "[Init]\nblocktype = DROP" > /etc/fail2ban/action.d/iptables-blocktype.local service fail2ban restart
If, like me, you prefer silent drops to the informative ICMP unreachable message, the behavior can be changed as follows:
- Create the file /etc/fail2ban/action.d/iptables-blocktype.local
- Enter the following code:
[Init] blocktype = DROP
- Save the file and restart fail2ban.
This won’t deter a persistent connection attempt, but for simple automated attacks they are more likely to move on to another target when receiving no response than when receiving active replies. At a minimum, it will slow some tools that modify their rate limiting behavior between response/no response.
Realistically, all a live adversary needs to do is port scan from another IP to confirm that the host is alive, but for the script-kiddies and simple attacks it will help to remove the system from their radar.
Updated 2018.09.02 - With a better understanding of the risks of features such as fail2ban, I no longer recommend implementing it. The limited protection of shunning a source IP is outweighed by the risk of granting an adversary the ability to write arbitrary content to your system.