Fail2ban Auto Whitelist

We use fail2ban on a number of our servers for blocking brute-force attempts against services like SSH, SMTP, IMAP, SIP, etc, and it works very well. However, we get a lot of false positives under certain common circumstances.

Most of our clients are small businesses. So all of their users are on a local LAN behind a NAT'd firewall. So it's common for 10 users to authenticate with, say, their email account just fine. But then one user enters the credentials wrong a few times, and the entire office (coming from a single public IP) is banned on our side.

I'd like for fail2ban to have a bit of intelligence to its process. Something along the lines of "If we see successful authentications from this IP address, then let's whitelist it for a bit, because future failed logins are almost certainly genuine failures and not brute-force attacks."

We have clients with static IPs at their offices and those with dynamic IPs. Manually whitelisting the dynamic IPs is obviously a no-go. But even for static IPs it would be a nightmare to try to manage those manually. As a brute-force IP is banned for a period of time, it'd be good to auto-whitelist an IP for a period of time once we detect a successful authentication attempt from it so that it can't be banned.

Is this something that can be done with some clever fail2ban rules?

If we see successful authentications from this IP address, then let's whitelist it for a bit, because future failed logins are almost certainly genuine failures and not brute-force attacks.

However it can probably protect against few false positives, this is questionable practice for several reasons. The main are:

• a single compromised PC in such a subnet can unhindered do a brute force and other stuff and will be ignored if an IP/subnet was added to ignorelist;
• it opens a vector which may allow to escalate privileges for some user with fewer rights or for an account theft of other user - some user, that has a valid account, can try to login with another account, and then simply does a successful login (with his own account), so quasi resets the count of failed attempts or still worse adds the IP/subnet to the whitelist.

So at least it must consider the user name, see the discussion in [github]/fail2ban#PR-1243.

But you can try to implement the idea using ignorecommand. Here is an example for such implementation - [github]/fail2ban#2013, comment-426940189.

Also note that fail2ban is able to ban basically everything, so in such case a combination of <ip> with <F-USER> should be probably used as ban identifier.
Alternatively a "proxying" address behind NAT could be also used together with a customers' real IP address.

Anyway, no matter how you'd implement that, ensure you really understand what you do and the risks involved as well as preventive measures to avoid them.