I have set up fail2ban on my system to permanently ban IP addresses in iptables that get caught. Basically, I have a ban action and no unban action, with a -1 bantime. This all works great, except that fail2ban rescans all of the logs on startup and rebans any of the addresses that it finds. I worked around this by putting a conditional in the ban command, but it would be cleaner if there were an option to prevent this startup scan from occurring.
By the way, kudos to the team on an excellent tool!