conntrack tracks UDP. Try running: conntrack -L | grep udp
Bill On 6/28/2019 9:04 AM, BASSAGET Cédric wrote:
Hello Bill, would that apply to UDP traffic ? I think it does not as UDP is stateless Regards Le ven. 28 juin 2019 à 14:43, Bill Shirley <[email protected] <mailto:[email protected]>> a écrit : Some attacks open up tens, if not hundreds, of connections at one time. I think fail2ban works by blocking *new* connections and since these connections are already initiated they don't get banned. You could limit the number of simultaneous connections with iptables. Something like: ACCEPT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> multiport dports 25,465,587 limit: up to 10/min burst 4 mode srcip Bill On 6/28/2019 8:25 AM, BASSAGET Cédric wrote:Hello I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to detect tthat an IP address has to be banned and ban it Here's my fail2ban.log (truncated) : 2019-06-28 14:10:30,253 fail2ban.filter [24709]: INFO [asterisk] Found 91.121.2.x ........ about 3000 same entries ..... 2019-06-28 14:12:10,614 fail2ban.filter [24709]: INFO [asterisk] Found 91.121.2.x 2019-06-28 14:12:12,092 fail2ban.actions [24709]: NOTICE [asterisk] Ban 91.121.2.x in jail.conf I have findtime=600 and maxretries=3. So ban action should be triggered really more quickly. Lines Any idea about what can be wrong ? I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and jail config. Regards, Cédric _______________________________________________ Fail2ban-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/fail2ban-users_______________________________________________ Fail2ban-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
