On my servers I use the nifty program
Fail2Ban to perform
logbased automatic firewalling of ‘bad’ ip’s.
The idea behind this is easy: Some IP performs an action I don’t approve
of. This can be any number of things, e.g. requesting pages in Apache
that are commonly accessed by bots and/or scanners, or trying to log in
to SSH with accounts that do not exist on the system. This bad behavior
gets logged, and Fail2Ban keeps tabs on those logs, and using a number
of rules it determines if a host is ‘bad’ enough to temporarily or
permanently ban all access to the server. It does so by adding a few
chains to Iptables (one for each thing it checks for), and dynamically
adding/removing IP’s to/from these chains.
This all works perfectly. However, there’s one issue; When Iptables gets
reloaded, it restores its default rules, removing the Fail2Ban chains
and all the rules they contain, even if the ip’s in the chain were
marked as permanent.