Well I did state that I'd set it to watch for in excess of three login attempts, as it happens the ban failed because I still had some remnants of an attempt to add more actions to action_mwl in jail.local, when I removed them & restarted fail2ban the ban went through.
Thanks for the response though On 09/05/2015 7:12 pm, Lee Clemens wrote: > On 05/09/2015 01:03 PM, Danny Horne wrote: >> Hi all, >> >> My SSH jail is set to ban when in excess of three login attempts have >> been made within ten minutes. I've just seen the following in my logs, >> so why was a ban not imposed? > > Simplistically, fail2ban is going to monitor log files and attempt to > match log lines with regexes - and if X number lines match within Y > minutes, fail2ban will execute an action. Each 'jail' is basically a > composite of a log files to watch, regexes to match with and actions to > execute. > > maxretry is the number of matches it takes to trigger the action > findtime is the 'within Y minutes' - or how far back fail2ban will look > in the logs > >> >> 2015-05-09 15:46:34,125 fail2ban.filter [2976]: INFO [sshd] >> Found 84.20.80.46 >> 2015-05-09 15:46:54,344 fail2ban.filter [2976]: INFO [sshd] >> Found 84.20.80.46 >> 2015-05-09 15:47:10,675 fail2ban.filter [2976]: INFO [sshd] >> Found 84.20.80.46 >> 2015-05-09 15:47:26,542 fail2ban.filter [2976]: INFO [sshd] >> Found 84.20.80.46 >> > > The default maxretry is 5 - so 4 failures is not enough to trigger the > action (typically banning the IP via iptables). > > You can override maxretry in either a jail.local file or a .conf file in > jail.d if you'd like to ban hosts after fewer or more failed auth > attempts. Just keep in mind the hierarchy of where you change it, as it > can be set globally (all jails) or for a single jail (sshd). > >> This is from /var/log/secure > > <snip> > > Hopefully that helps clear things up at least a little bit! > > -Lee Clemens
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
