Update #5 - Dynamic Fail2Ban Ignore Rule with DDNS Update #5 Dynamic Fail2Ban Ignore Rule with DDNS Overview To enhance security while ensuring admin access from a dynamic IP address, I created a script that automatically resolves my home DDNS address. and updates Fail2Ban’s  ignoreip rule accordingly. This ensures my home IP is always whitelisted—even as it changes—preventing accidental lockouts. Objective Automatically update Fail2Ban’s ignoreip field with the resolved IP address of a DDNS hostname and restart the service. Components Used Ubuntu 22.04 VPS Fail2Ban DDNS hostname Bash scripting Cron for automation (optional) Script Path /usr/local/bin/update-fail2ban-ignoreip.sh Script Logic Uses dig to resolve the current IP of the DDNS hostname. Backs up /etc/fail2ban/jail.local . Replaces the existing ignoreip line with a new one including 127.0.0.1 and the resolved DDNS IP. Restarts the Fail2Ban service. #!/bin/bash # Resolve DDNS to IP DDNS_HOST="YOUR-DDNS-NAME-HERE" RESOLVED_IP=$(dig +short "$DDNS_HOST" | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -n1) # Path to jail.local JAIL_LOCAL="/etc/fail2ban/jail.local" # Backup original cp "$JAIL_LOCAL" "$JAIL_LOCAL.bak" # Update ignoreip in jail.local sed -i "/^ignoreip =/c\ignoreip = 127.0.0.1 $RESOLVED_IP" "$JAIL_LOCAL" # Restart Fail2Ban systemctl restart fail2ban Setup Steps Create the script: sudo nano /usr/local/bin/update-fail2ban-ignoreip.sh Paste the script above, change it to YOUR-DDNS-SERVER - save and exit. Make it executable: Run it manually to verify: sudo /usr/local/bin/update-fail2ban-ignoreip.sh Verification Checked with: sudo cat /etc/fail2ban/jail.local  Confirmed the new IP is listed in ignoreip . Validated Fail2Ban is running: sudo systemctl status fail2ban Optional: Automate with Cron To run the update daily: sudo crontab -e Add: 0 3 * * * /usr/local/bin/update-fail2ban-ignoreip.sh Result Fail2Ban now dynamically ignores my home IP—even though it’s behind a DDNS—and I no longer risk locking myself out while administering my VPS.