Hello Bill, would that apply to UDP traffic ? I think it does not as UDP is stateless
Regards Le ven. 28 juin 2019 à 14:43, Bill Shirley <[email protected]> a écrit : > Some attacks open up tens, if not hundreds, of connections at one time. I > think fail2ban > works by blocking *new* connections and since these connections are > already initiated > they don't get banned. > > You could limit the number of simultaneous connections with iptables. > Something like: > ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > multiport dports 25,465,587 limit: up to 10/min burst 4 mode srcip > > Bill > > On 6/28/2019 8:25 AM, BASSAGET Cédric wrote: > > Hello > I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to > detect tthat an IP address has to be banned and ban it > > Here's my fail2ban.log (truncated) : > 2019-06-28 14:10:30,253 fail2ban.filter [24709]: INFO > [asterisk] Found 91.121.2.x > ........ about 3000 same entries ..... > 2019-06-28 14:12:10,614 fail2ban.filter [24709]: INFO > [asterisk] Found 91.121.2.x > 2019-06-28 14:12:12,092 fail2ban.actions [24709]: NOTICE > [asterisk] Ban 91.121.2.x > > in jail.conf I have findtime=600 and maxretries=3. So ban action should be > triggered really more quickly. > > Lines > > Any idea about what can be wrong ? > I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and > jail config. > > Regards, > Cédric > > > _______________________________________________ > Fail2ban-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
