You could however set thresholds to drop a list of bans into a file or based upon the ban log for F2B and regex either file to simulate consecutive retries in the form of ban events to block that ip on a more permanent basis. That way if your users accidently block themselves for the initial ban events, the perm ban won't take effect until they reach X ban events per period for example 5 in one month. Taking it a step further, if X customer is getting attacked relentlessly you could set another regex to search for just ban events for a particular customer and ban all ips, during X period that trigger for example 20 bans on that customer in one hour. The persistent slow attacks can then be covered.
On Aug 3, 2016 11:46 AM, "Trent Creekmore" <[email protected]> wrote: > Thanks for the awesome advice. I readjusted the default settings which I > feel were set too low. > > -----Original Message----- > From: Michael Fox [mailto:[email protected]] > Sent: Monday, August 1, 2016 11:51 PM > To: [email protected] > Subject: Re: [Fail2ban-users] Spotted Inherent problem > > > >An apparent script was going slowly through a list of accounts, and > one-by-one, > >testing each one, and failing. Then over time it would repeat. Same > accounts, > >but a different one each time it attempted to get the correct password. > > >While no accounts have been compromised, I see there are a LOT of > >fails, > and > >there is no ban because it is not trying the same account in > >consecutive > tries. > > >Any means to stop this from continuing? > > Fail2ban is not based on consecutive tries. It is based on "maxretry" > tries > within "findtime" time interval. > > If you adjust your filter regex to ignore which account they are trying, > you > should be able to pick a maxretry and findtime value that will identify the > offender. > > Michael > > > > ---------------------------------------------------------------------------- > -- > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
