How to ban IP permanently?

I’m using crowdsec on debian with crowdsec-firewall-bouncer-iptables - Firewall bouncer for Crowdsec (iptables+ipset).

I know that crowdsec’s profiles.yaml has a default ban timeout of 4h.

So ipset has a timeout parameter for each IP address with a maximum value in seconds == 4294967 seconds = 49.7 days.

I infer this from the crowdsec-firewall-bouncer.log file where I saw this:

Syntax error: '31535993' is out of range 0-4294967\n"

… when I tried banning for 365 days (8760 hours) via /etc/crowdsec/profiles.yaml

What value should I use for the profile duration in profiles.yaml - in order to ban for eternity?

ipset’s manual says 0 means forever, but passing 0h or 0 in profiles.yaml causes only errors in crowdsec-firewall-bouncer.log.


Currently, it is not possible to perma ban IP with crowdsec. If you need IPs to be ban permanently, i would suggest you to create new set in your ipset (not the one used by crowdsec), and add the IPs you want to perma ban inside.