On 05/09/2015 01:03 PM, Danny Horne wrote: > Hi all, > > My SSH jail is set to ban when in excess of three login attempts have > been made within ten minutes. I've just seen the following in my logs, > so why was a ban not imposed?
Simplistically, fail2ban is going to monitor log files and attempt to match log lines with regexes - and if X number lines match within Y minutes, fail2ban will execute an action. Each 'jail' is basically a composite of a log files to watch, regexes to match with and actions to execute. maxretry is the number of matches it takes to trigger the action findtime is the 'within Y minutes' - or how far back fail2ban will look in the logs > > 2015-05-09 15:46:34,125 fail2ban.filter [2976]: INFO [sshd] > Found 84.20.80.46 > 2015-05-09 15:46:54,344 fail2ban.filter [2976]: INFO [sshd] > Found 84.20.80.46 > 2015-05-09 15:47:10,675 fail2ban.filter [2976]: INFO [sshd] > Found 84.20.80.46 > 2015-05-09 15:47:26,542 fail2ban.filter [2976]: INFO [sshd] > Found 84.20.80.46 > The default maxretry is 5 - so 4 failures is not enough to trigger the action (typically banning the IP via iptables). You can override maxretry in either a jail.local file or a .conf file in jail.d if you'd like to ban hosts after fewer or more failed auth attempts. Just keep in mind the hierarchy of where you change it, as it can be set globally (all jails) or for a single jail (sshd). > This is from /var/log/secure <snip> Hopefully that helps clear things up at least a little bit! -Lee Clemens ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
