I have fail2ban working on my server -primarily for wordpress- and it works well. There is one issue, however, that I'd like to ask about.
When a legitimate wordpress user makes a mistake on their password logging-in, there is a delay of at least about two seconds before they submit their corrected password. In fact they could be given a notification screen telling them to be sure to wait at least three seconds before submitting their corrected password. Even with fail2ban fully in effect there are spammers who go so far as to figure out the fail2ban setting and will keep hitting the site with brute force logins (from changing IP's) but stop just before the threshold (whether it be 6 failures in 10 minutes or whatever). Looking at the logs these attempts are often obvious because the time difference between the GET and the POST is often zero or 1. (or short time difference between sequential fails) In fact these are not much of a problem because there can't be very many of them. But does anyone know of a tool that would ban simply based on the time between failures ...in other words, such a tool would ban a failing login if the second attempt happened less than three seconds (or two seconds) after the first? Then legitimate users could simply be informed not to re-enter their password too quickly after an initial fail. Not a direct answer to your question, but I do something a little different. Maybe it would be useful to you. I have two or three overlapping rules. The first rule is what everyone does: incorrect password X times in Y minutes and you’re banned for Z minutes. If X is fairly small (3-5 attempts), then Z (ban time) can’t be too long, or else legitimate users who simply messed up will be disproportionately inconvenienced. So, for the sake of argument, let’s say that after 3 failed attempts you ban them for 15 minutes, just to slow down any brute force attempts. Then I have a second rule that looks for (X plus 2) attempts over a longer time period and bans for a longer time. The idea being that a legitimate user who gets banned will likely look up the password and make sure they have it right. So they will be unlikely to mess up more than once or twice more. Therefore, anything more than a couple more attempts after being unbanned is likely a bad apple. So ban them for much longer. It also means that learning the timers doesn’t help because the secondary/longer timer will still get you. I just learned of the recidive filter. Maybe that’s an even better option. I haven’t looked into it enough to know. Michael
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
