Update #5 - Dynamic Fail2Ban Ignore Rule with DDNS
Update #5
Dynamic Fail2Ban Ignore Rule with DDNS
Overview
To enhance security while ensuring admin access from a dynamic IP address, I created a script that automatically resolves my home DDNS address.
and updates Fail2Ban’s ignoreip rule accordingly. This ensures my home IP is always whitelisted—even as it changes—preventing accidental lockouts.
Objective
Automatically update Fail2Ban’s ignoreip field with the resolved IP address of a DDNS hostname and restart the service.
Components Used
-
Ubuntu 22.04 VPS
-
Fail2Ban
-
DDNS hostname
-
Bash scripting
-
Cron for automation (optional)
Script Path
/usr/local/bin/update-fail2ban-ignoreip.sh
Script Logic
-
Uses
digto resolve the current IP of the DDNS hostname. -
Backs up
/etc/fail2ban/jail.local. -
Replaces the existing
ignoreipline with a new one including127.0.0.1and the resolved DDNS IP. -
Restarts the Fail2Ban service.
#!/bin/bash
# Resolve DDNS to IP
DDNS_HOST="YOUR-DDNS-NAME-HERE"
RESOLVED_IP=$(dig +short "$DDNS_HOST" | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -n1)
# Path to jail.local
JAIL_LOCAL="/etc/fail2ban/jail.local"
# Backup original
cp "$JAIL_LOCAL" "$JAIL_LOCAL.bak"
# Update ignoreip in jail.local
sed -i "/^ignoreip =/c\ignoreip = 127.0.0.1 $RESOLVED_IP" "$JAIL_LOCAL"
# Restart Fail2Ban
systemctl restart fail2ban
Setup Steps
Create the script:
-
Paste the script above, change it to YOUR-DDNS-SERVER - save and exit.sudo nano /usr/local/bin/update-fail2ban-ignoreip.sh
Make it executable:
-
Run it manually to verify:
sudo /usr/local/bin/update-fail2ban-ignoreip.sh
Verification
-
Checked with:
sudo cat /etc/fail2ban/jail.localConfirmed the new IP is listed in
ignoreip. -
Validated Fail2Ban is running:
sudo systemctl status fail2ban
Optional: Automate with Cron
To run the update daily:
sudo crontab -eAdd:
0 3 * * * /usr/local/bin/update-fail2ban-ignoreip.shResult
Fail2Ban now dynamically ignores my home IP—even though it’s behind a DDNS—and I no longer risk locking myself out while administering my VPS.