This week it happened: Me as an admin was banned by fail2ban and I did not even know why. So I was thinking about how I could avoid this for one and forever.
Always allow ssh from another fixed ip address
The first thing I did was to add one of my VPS with fixed ip address to be ignored by fail2ban, like this: Add a file /etc/fail2ban/jail.d/ignoremyip.conf with the content:
[DEFAULT]
ignoreip = 188.68.45.245
So now at least I could reach my yunohost over the vps, if I’m banned. But I was not happy, because I want to reach it from home and without any problems. And at home I have a dynamic ip address.
Concept
So I developed the following concept: At home I already have an DYNDNS account for my Pleroma server (on Rapsberry Pi). So my following script could get my current dynamic ip from the address resolution and put it in the config of fail2ban, just if it has changed (normally in the night).
Bash Script
This is the script I developed, call it by cron:
#!/bin/bash
# Script to always unban the admins own dynamic ip address
# Put this to /usr/local/bin/unban
# Change the SERVERNAME down below to your DYNDNS host
# Make it executable: chmod 700 /usr/local/bin/unban
# Put it in root's cron like: */10 * * * * /usr/local/bin/unban
# Author: Martin Doering
# Email: devel@datenbrei.de
# License: public domain
# set this to your DYNDNS-Server name of your home
# It's IP will ever be ignored and not banned
SERVERNAME='dyndnsname.fr'
OLDIP=$(grep 'ignoreip' /etc/fail2ban/jail.d/ignoreip.conf|awk '{ print $NF }')
NEWIP=$(host $SERVERNAME|awk '{ print $NF }')
if [[ "$NEWIP" == "$OLDIP" ]]; then
exit
fi
if [[ $NEWIP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "[DEFAULT]" > /etc/fail2ban/jail.d/ignoreip.conf
echo "ignoreip = $NEWIP" >> /etc/fail2ban/jail.d/ignoreip.conf
fi
systemctl restart fail2ban
Since I run this script I never was locked out again. Maybe it is of use for you yunohost admins. And: THanks for all your work, Yunohost is great!