They don't seem to be well documented yet. The formula seems quite complex
in some ways. But if I'm reading the config file properly, you've got
various options for how you set it up.

I'll paste in what's in the basic conf file then explain what I do.

*standard conf that comes with jail.conf*

# "bantime.increment" allows to use database for searching of previously
banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4,
8, 16, 32...
#bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with
random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
#bantime.rndtime =

# "bantime.maxtime" is the max number of seconds using the ban time can
reach (don't grows further)
#bantime.maxtime =

# "bantime.factor" is a coefficient to calculate exponent growing of the
formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban
time
# grows by 1, 2, 4, 8, 16 ...
#bantime.factor = 1

# "bantime.formula" used by default to calculate next value of ban time,
default value bellow,
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16,
32...
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) *
banFactor
#
# more aggressive example of formula has the same values only for factor
"2.0 / 2.885385" :
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*
banFactor)/math.exp(1*banFactor)

# "bantime.multipliers" used to calculate next value of ban time instead of
formula, coresponding
# previously ban count and given "bantime.factor" (for multipliers default
is 1);
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban
count greater as multipliers count,
# always used last multiplier (64 in example), for factor '1' and original
ban time 600 - 10.6 hours
#bantime.multipliers = 1 2 4 8 16 32 64
# following example can be used for small initial ban time (bantime=60) -
it grows more aggressive at begin,
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30
min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
#bantime.multipliers = 1 5 30 60 300 720 1440 2880

# "bantime.overalljails" (if true) specifies the search of IP in the
database will be executed
# cross over all jails, if false (dafault), only current jail of the ban IP
will be searched
#bantime.overalljails = false

If I'm understanding this correctly, I can change the formula, or I can
change the multiplier - I *think* either way is acceptable as a way of
calculating what the increase should be,

Here is my config, from my jail.local

1) My DB has a purge age of a few years. At the moment, in versions before
0.10, the DB never gets purged. But it's been fixed and it does now purge.
If you want to be able to ban things for a long time using multipliers,
you'll need a long purge age - because f2b decides whether something should
be classed as "bad" and therefore have its ban time lengthened by whether
it's in the database. If the database has been purged, the IP address
might've been removed.

At this stage I don't know whether a 2-year-long purge age will result in
all my disk space being used or whether it will cripple f2b's database
usage. I'll report back!

2) My bantime starts at 7200 - 2 hours. I chose this on the basis that most
attacks seem to be one-offs, and now that I can multiple ban times it makes
sense to unban one-off offenders after a few hours. They will likely have
stopped trying to attack me. If they come back, their ban will be increased.

3) My multiplier is odd: It's 2 days, 14 days, 90 days, then 3 years. Why?
Because sometimes an IP address will attack just for a few days or a few
weeks before the IP address owner realises their machine has been hijacked.
So, you get a few chances to mend your ways. After 14 days, you're probably
just a bad IP, so you get banned for 90 days. But because people change
their hosting sometimes, I give you a chance after 90 days. Then, it's 3
years. Because if you've attacked and been banned for 2 hours, 2 days, 14
days, then 90 days, that means you've attacked me 4 times in a period of
3.5 months - you're a bad guy.

*Here is what that section of my jail.local looks like:*

bantime = 7200
bantime.increment = true

# the variable hour is set earlier in the file - I use variables to set
lots of different time periods, so it is easier to understand the config
bantime.rndtime = %(hour)s
.
bantime.factor = 1

# I don't know if I need this but it's there anyway
bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) *
banFactor

# this is 2 days, 14 days, 90 days etc multiplied with a starting ban time
of 2 hours
bantime.multipliers = 1 24 168 1080 2184 4380 12000 24000

# I do this cos I have a jail for fast attacks - bots that hit me dozens of
times a second, as well as a jail for specific types of bots
# so depending on which jail they hit first, they might be banned by
different jails at different times
bantime.overalljails = true

I use a home-baked script to send me detailed emails about this. Here's
part of it (it's copied and pasted html so it might not look the way it
should - if you're interested, the links would take you to an unban script
that anyone can access but is extremely locked down and can only be run
from the back-end):

Hi Tony


The IP 42.236.10.81 has just been banned by Fail2Ban <http://> after 1
attempt against crawlers. This IP has been banned 4 times and is now a
multiple offender.


*Similar banned IPs*

42.236.10.82 crawlers <http://> 29-03-2018 14 days, 13-04-2018 17:03:33)

42.236.10.84 crawlers <http://> 03-04-2018 14 days, 17-04-2018 19:14:45)

42.236.10.109 crawlers <http://> 27-03-2018 14 days, 11-04-2018 13:15:37)

42.236.10.110 crawlers <http://> 04-04-2018 14 days, 18-04-2018 17:25:03)

42.236.10.113 crawlers <http://> 01-04-2018 14 days, 15-04-2018 11:18:14)

42.236.10.114 crawlers <http://> 05-04-2018 14 days, 19-04-2018 09:04:45)

42.236.12.150 crawlers <http://> 29-03-2018 14 days, 12-04-2018 23:39:09)

42.236.46.85 crawlers <http://> 28-03-2018 14 days, 12-04-2018 03:07:17)


*Previous bans*

16-03-2018 15:50:21 [crawlers] Ban

16-03-2018 17:50:20 [crawlers] Unban

17-03-2018 14:16:50 [crawlers] Ban

19-03-2018 20:06:08 [crawlers] Unban

24-03-2018 21:25:22 [crawlers] Ban

08-04-2018 14:24:25 [crawlers] Unban

10-04-2018 04:46:49 [crawlers] Ban


*Ban increments*

17-03-2018 [crawlers] Increase Ban (2: 2 days, 19-03-2018 20:06:08)

24-03-2018 [crawlers] Increase Ban (3: 14 days, 08-04-2018 14:24:23)

10-04-2018 [crawlers] Increase Ban (4: 90 days, 09-07-2018 05:21:36)




Tony Collins


On 31 March 2018 at 15:19, Palvelin Postmaster via Fail2ban-users <
fail2ban-users@lists.sourceforge.net> wrote:

> Are the various multiplier settings documented somewhere?
>
> Examples would be very welcome too. Isn’t that what this list is for? :)
>
>
> > On 30 Mar 2018, at 14:46, Tony Collins <t...@evilplan.org.uk> wrote:
> >
> > Hi!
> >
> > It's really configurable: there's a basic on/off setting, but you can
> also tell it how much to increase by each time, and you can set either
> simple or aggressive formulae.
> >
> > This is one of the settings for the multiplier:
> >
> > bantime.multipliers = 1 2 16 90 182 365 1000 2000
> >
> > That shows how aggressively it will increase the bantime. In example
> above, my bantime of 86400 (1 day) will ban a persistent offender for 1
> day, 2 days, 16 days etc. You can configure it in a really granular way if
> you manipulate the ban time with the multiplier.
> >
> > In terms of purging, yes I'm talking about dbpurgeage. Until 0.10 or
> 0.11 that setting didn't actually do anything. No function was ever written
> to purge the DB.
> >
> > Now it works; it does purge after dbpurgeage. So I set my purge age to 2
> years, so that it remembers long-time bans. But that's because my
> multiplier eventually bans bad IPa for a year or more.
> >
> > The purge age amount depends on what sort of ban times you set.
> >
> > If you want to discuss more specific examples, I can show you how I'm
> using it.
> >
> > It's honestly improved f2b by ten times for me - the recidive jail never
> quite worked for me because it was not very configurable, but now we have
> an ability to generate longer and longer ban times, so Fail2Ban really
> feels even more useful.
> >
> > Tony
> >
> > On Fri, 30 Mar 2018 at 11:31, Palvelin Postmaster via Fail2ban-users <
> fail2ban-users@lists.sourceforge.net> wrote:
> >
> >
> > > On 15 Mar 2018, at 12:00, Tony Collins <t...@evilplan.org.uk> wrote:
> > >
> > > One other thing: the 0.11.x version of f2b has a ban time
> "multiplier", which is just fantastic - if the same IP keeps getting
> banned, f2b automatically increases the ban time. To do that you need a
> long 'purgeage' setting (so it can remember that an IP was banned a few
> months ago), and again once you use f2b to manage your blocks, it can just
> take care of everything - you never need to use iptables commands for
> unblocking, because f2b 0.11.x manages ban times so much more effectively
> and logically. F2b has always managed bans and unbans pretty well, but
> there's been some really excellent polish applied to recent versions.
> >
> > Is the ’multiplier’ applied automatically or is there a setting?
> >
> > I presumw by ’purgeable’ you refer the dbpurgeage setting. Where should
> one ideally set it in regards to the new automatically increasing ban time?
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > --
> > -- Tony Collins
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to