On 11/9/2015 11:21 AM, Chris Short wrote: > I would assume it's for tuning your find and ban times. I find it very > useful.
Indeed. I've begun noticing a pattern lately where a particular address will do 2 ssh attempts, wait a bit over 30 minutes, do two more, repeat. This is well outside typical fail2ban settings, allowing long-term brute-forcing without getting banned. What I'm not sure of yet is whether they're just choosing a low rate that's not likely to get banned, or if they're actually fine-tuning to each target (given that I have maxretry set to 3 on my boxen, 2 tries at a time would make sense if they're fine-tuning). I'd never have seen the pattern if I didn't have the Found lines popping up in Logwatch. IF you're not using Logwatch, it might be worthwhile to write a small filter program for the fail2ban logs, pulling out the bans and the Founds seperately. Ben -- Ben Coleman [email protected] | For the wise man, doing right trumps http://oloryn.benshome.net/ | looking right. For the fool, looking Amateur Radio NJ8J | right trumps doing right.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
