Bug#602085: fail2ban doesn't respond well for quick distributed attacks (patch)

Mon, 01 Nov 2010 06:48:14 -0700 

Hi Renat,

nice observation... but fix I think is not ideal since it changes
semantics of __checkBan (would return True even for already banned)...

may be better solution would be to check either any other new ticket is
available within the jail and then not sleep at all (and thus sleep only
if queue is empty)...  not sure though if it would not have some
unpleasant side-effects as well

also sleeptime seems to be not interfaced within client/configuration at
all-- should be made configurable, so you could tune it up to your
liking (patch is welcome ;)).

On Mon, 01 Nov 2010, Renat Sabitov wrote:

> Package: fail2ban
> Version: 0.8.3-2sid1
> Severity: normal

> Last night I had a distributed attack on my asterisk server from over than 
> 400 hosts. 
> fail2ban failed to ban all IP addresses, because it can only
> try to ban one IP address per second. All my log is full of this messages:

> 2010-11-01 14:53:32,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 59.99.209.227 already banned
> 2010-11-01 14:53:33,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 125.166.165.16 already banned
> 2010-11-01 14:53:34,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 110.159.192.213 already banned
> 2010-11-01 14:53:35,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 80.67.50.243 already banned
> 2010-11-01 14:53:36,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 125.165.164.204 already banned
> 2010-11-01 14:53:37,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 61.19.66.182 already banned
> 2010-11-01 14:53:38,273 fail2ban.actions: WARNING [asterisk-iptables] 
> 110.159.192.213 already banned
> 2010-11-01 14:53:39,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 80.67.50.243 already banned
> 2010-11-01 14:53:40,272 fail2ban.actions: WARNING [asterisk-iptables] 
> 125.166.165.16 already banned

> The problem is actually in the actions.py file, if ip is already banned, 
> fail2ban waits for 1 second 
> before banning another one. I believe that this patch should solve the 
> problem:

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]





-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to