recidive is a meta-jail: it reads Fail2ban’s own log and bans any IP that has already been
banned several times — for much longer, across all ports. It’s how you make persistent bots go
away instead of returning every hour.
1. The jail
In /etc/fail2ban/jail.local:
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
maxretry = 5
Translation: if an IP is banned 5 times within 1 day, ban it on all ports for 1 week.
2. Reload
sudo fail2ban-client reload
3. Verify
sudo fail2ban-client status recidive
The banned list here is your hall of fame of persistent attackers.
4. Make sure Fail2ban logs to a file
recidive needs /var/log/fail2ban.log to exist. Check /etc/fail2ban/fail2ban.local (or
fail2ban.conf) has:
[Definition]
logtarget = /var/log/fail2ban.log
If yours logs to the systemd journal instead (logtarget = SYSLOG / SYSTEMD-JOURNAL), set the
recidive jail to read the journal with backend = systemd and no logpath.
Why all-ports: a recidivist has proven it’s hostile, so banaction_allports blocks it
everywhere, not just on the service it last attacked. Pair with bantime.increment on the base
jails for layered escalation.