No fail2ban keeps a database as the logs change, located in /usr/lib/python3/dist-packages/fail2ban/server/__pycache__/ ), all my files in that folder total 220Kbytes it’s not a big load only storing which ip registered against with jail.
Historically after analysing my logs I found that one persistent brute force on my IMAP server was running for weeks (never banned) as it was set up to probe 4 times every two hours. Increasing the findtime knocked that on the head. There’s also a debatable point in changing the default bantime to shorter if using recidive. But what I believe currently (in conjunction with recidive) is that a small ban time of 5 minutes on some services that are prone to long attacks, triggers fail2ban, quite often that’s enough to make the bot go away, but if not then it triggers recidive for 5 days inside of 15 minutes rather than waiting 6 hours (which I believe is the defaults). Some bots are just stupid, they keep on hammering away, ignoring all HTTP codes, that they are waiting around for a connection. That’s a problem for server load, with a multiple bot attack and you’re dropping or hanging connections on a web server, so want to knock the bots out of the way quickly and if they pop up again then wipe them out for a long time before they tie up 20 connections. Knocking them inside of 15 minutes is (in my view), better than waiting a longer time, if there’s a distributed command and control model and the attack is shared you get a higher percentage of the bot net faster. I do wonder if “DROP” rather than “REJECT” is better, there’s an interesting discussion on http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject where the only advantage is possibly that DROP would perform better in a denial of service (in theory), in practice DOS’s are so large then in my opinion it offers little advantage. A “stupid botnet” is going to ignore REJECT, it may be slowed down by DROP as it waits for network response until it times out, but then it’s going to continue on probing which could exceed the findtime and bantime. My theory (totally up for debate) would be that it is more likely that an instant rejection is going to cause the “stupid botnet” to run through it’s cycle faster (even though it’s not going anyway near the services) by receiving a REJECT and then move on. If it’s a clever botnet it going to communicate to any other members of it’s network that it received multiple rejections and to pass on by without wasting the hackers report. Though these botnets are automated, the better ones are optimised to find easy targets rather than waste time after fail2ban has been triggered, and DROP or REJECT, they are going to have received one response so they know what software you are running roughly on which port, so if they are mapping for future exploits it makes no difference. > On 10 Aug 2018, at 21:05, Wayne Sallee <[email protected]> wrote: > > Which brings me to another question: > > Does longer find times (obviously it needs to be longer than what it is) make > for more load on the server by causing Fail2Ban to load more data? > > Wayne Sallee > [email protected] > http://www.WayneSallee.com > > On 08/10/2018 04:01 PM, Wayne Sallee wrote: >> Your right. I should make it a lot longer. >> >> Wayne Sallee >> [email protected] >> http://www.WayneSallee.com >> >> On 08/10/2018 03:51 PM, Philip Clarke via Fail2ban-users wrote: >>> That's a really short find time by default. >>> >>> On 10 Aug 2018 20:47, Wayne Sallee <[email protected]> wrote: >>> cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local >>> sed -i 's/^/#/' /etc/fail2ban/jail.local >>> >>> cat >>/etc/fail2ban/jail.local<< "EOF" >>> >>> [DEFAULT] >>> # Number of seconds. >>> bantime = 86400 >>> findtime = 600 >>> maxretry = 5 >>> action = %(action_mwl)s >>> >>> >>> [sshd] >>> enabled = true >>> port = ssh >>> logpath = /var/log/auth.log >>> backend = %(sshd_backend)s >>> >>> >>> [apache-overflows] >>> enabled = true >>> port = http,https >>> logpath = /var/log/apache2/error.log >>> /var/log/apache2/error1.log >>> /var/log/apache2/error5.log >>> maxretry = 2 >>> >>> EOF >>> >>> >>> >>> >>> Something like that. :-) >>> >>> Wayne Sallee >>> [email protected] >>> http://www.WayneSallee.com >>> >>> >>> On 08/10/2018 03:15 PM, Tony Collins wrote: >>> It would be so helpful if we could see your config files :-) >>> >>> Are you comfortable sharing them yet? >>> >>> If you want to email privately, I'm happy to do that. I've shared my config >>> files here before. >>> >>> Please do not worry about sharing stuff like that. We've all got f2b, we >>> all know how bad it can be to set it up and to make nice .conf files. >>> >>> We can set it all up perfectly with a bit of effort :-) >>> >>> Tony >>> >>> On Fri, 10 Aug 2018 at 20:11, Wayne Sallee <[email protected]> wrote: >>> Although the space does produce better results, so it's needed. >>> >>> >>> Wayne Sallee >>> [email protected] >>> http://www.WayneSallee.com >>> >>> On 08/10/2018 03:03 PM, Wayne Sallee wrote: >>> I already tried both methods, and even tried spaces after the line. >>> Maybe I got a buggy version of Fail2Ban. >>> >>> Wayne Sallee >>> [email protected] >>> http://www.WayneSallee.com >>> >>> On 08/10/2018 02:43 PM, Tony Collins wrote: >>> Thank you for the information. >>> >>> Ok, I think you mentioned that the semi-colon doesn't work either. But I'd >>> like to check. >>> >>> Can you tell me if this works: >>> >>> [apache-overflows] >>> enabled = true >>> port = http,https >>> logpath = /var/log/apache2/error.log;/var/log/apache2/error2.log >>> maxretry = 2 >>> >>> So, no spaces between the two file paths/names, just a ; >>> >>> Also I think maybe you might need an extra space if you use the "newline" >>> method. I think I forgot to say this! >>> >>> Does this work: >>> >>> [apache-overflows] >>> enabled = true >>> port = http,https >>> logpath = /var/log/apache2/error.log >>> /var/log/apache2/error2.log >>> maxretry = 2 >>> >>> Note that when I pressed enter at the end of the "logpath" line, I then >>> typed a space before I typed "/var/log/apache2/error2.log >>> >>> Please try both of those. Fail2ban is very "fussy" about its configuration >>> files. I have made so many errors while writing configuration files. It is >>> painful! >>> >>> Tony >>> >>> On Fri, 10 Aug 2018 at 19:38, Wayne Sallee <[email protected]> wrote: >>> For example this will error: >>> >>> [apache-overflows] >>> enabled = true >>> port = http,https >>> logpath = /var/log/apache2/error.log >>> /var/log/apache2/error2.log >>> maxretry = 2 >>> >>> >>> ERROR Failed during configuration: Source contains parsing errors: >>> '/etc/fail2ban/jail.local' >>> [line 883]: '/var/log/apache2/error2.log\n' >>> >>> >>> But this will not error: >>> >>> [apache-overflows] >>> enabled = true >>> port = http,https >>> logpath = /var/log/apache2/error.log >>> maxretry = 2 >>> >>> And this will not error: >>> >>> [apache-overflows] >>> enabled = true >>> port = http,https >>> logpath = /var/log/apache2/error2.log >>> maxretry = 2 >>> >>> >>> /var/log/apache2/error2.log is a substitute name. >>> >>> >>> Wayne Sallee >>> [email protected] >>> http://www.WayneSallee.com >>> >>> >>> On 08/10/2018 02:14 PM, Tony Collins wrote: >>> Maybe there is a small mistake somewhere in the configuration? >>> >>> Please paste the jail's configuration here - we will use "fresh eyes" to >>> see if we can find the problem :-) >>> >>> On Fri, 10 Aug 2018 at 19:05, Wayne Sallee <[email protected]> wrote: >>> I figured that was it, but then wondered surely he knows it's disabled. :-) >>> I thought spacing was working before, but it's not, nether does ";" and >>> nether does a new line. So I just put the others on new lines, and >>> commented them out. That works :-) sortof :-) >>> >>> >>> Wayne Sallee >>> [email protected] >>> http://www.WayneSallee.com >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot_______________________________________________ >>> Fail2ban-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> -- >>> -- Tony Collins >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot_______________________________________________ >>> Fail2ban-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> -- >>> -- Tony Collins >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot_______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
