Thanks Tony, you’re awesome! :)

> On 10 Apr 2018, at 15:35, Tony Collins <t...@evilplan.org.uk> wrote:
> 
> They don't seem to be well documented yet. The formula seems quite complex in 
> some ways. But if I'm reading the config file properly, you've got various 
> options for how you set it up.
> 
> I'll paste in what's in the basic conf file then explain what I do.
> 
> standard conf that comes with jail.conf
> 
> # "bantime.increment" allows to use database for searching of previously 
> banned ip's to increase a 
> # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 
> 16, 32...
> #bantime.increment = true
> 
> # "bantime.rndtime" is the max number of seconds using for mixing with random 
> time 
> # to prevent "clever" botnets calculate exact time IP can be unbanned again:
> #bantime.rndtime = 
> 
> # "bantime.maxtime" is the max number of seconds using the ban time can reach 
> (don't grows further)
> #bantime.maxtime = 
> 
> # "bantime.factor" is a coefficient to calculate exponent growing of the 
> formula or common multiplier,
> # default value of factor is 1 and with default value of formula, the ban 
> time 
> # grows by 1, 2, 4, 8, 16 ...
> #bantime.factor = 1
> 
> # "bantime.formula" used by default to calculate next value of ban time, 
> default value bellow,
> # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 
> 32...
> #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * 
> banFactor
> #
> # more aggressive example of formula has the same values only for factor "2.0 
> / 2.885385" :
> #bantime.formula = ban.Time * 
> math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
> 
> # "bantime.multipliers" used to calculate next value of ban time instead of 
> formula, coresponding 
> # previously ban count and given "bantime.factor" (for multipliers default is 
> 1);
> # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban 
> count greater as multipliers count, 
> # always used last multiplier (64 in example), for factor '1' and original 
> ban time 600 - 10.6 hours
> #bantime.multipliers = 1 2 4 8 16 32 64
> # following example can be used for small initial ban time (bantime=60) - it 
> grows more aggressive at begin,
> # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 
> 1 hour, 5 hour, 12 hour, 1 day, 2 day
> #bantime.multipliers = 1 5 30 60 300 720 1440 2880
> 
> # "bantime.overalljails" (if true) specifies the search of IP in the database 
> will be executed 
> # cross over all jails, if false (dafault), only current jail of the ban IP 
> will be searched
> #bantime.overalljails = false
> 
> If I'm understanding this correctly, I can change the formula, or I can 
> change the multiplier - I *think* either way is acceptable as a way of 
> calculating what the increase should be,
> 
> Here is my config, from my jail.local
> 
> 1) My DB has a purge age of a few years. At the moment, in versions before 
> 0.10, the DB never gets purged. But it's been fixed and it does now purge. If 
> you want to be able to ban things for a long time using multipliers, you'll 
> need a long purge age - because f2b decides whether something should be 
> classed as "bad" and therefore have its ban time lengthened by whether it's 
> in the database. If the database has been purged, the IP address might've 
> been removed.
> 
> At this stage I don't know whether a 2-year-long purge age will result in all 
> my disk space being used or whether it will cripple f2b's database usage. 
> I'll report back!
> 
> 2) My bantime starts at 7200 - 2 hours. I chose this on the basis that most 
> attacks seem to be one-offs, and now that I can multiple ban times it makes 
> sense to unban one-off offenders after a few hours. They will likely have 
> stopped trying to attack me. If they come back, their ban will be increased.
> 
> 3) My multiplier is odd: It's 2 days, 14 days, 90 days, then 3 years. Why? 
> Because sometimes an IP address will attack just for a few days or a few 
> weeks before the IP address owner realises their machine has been hijacked. 
> So, you get a few chances to mend your ways. After 14 days, you're probably 
> just a bad IP, so you get banned for 90 days. But because people change their 
> hosting sometimes, I give you a chance after 90 days. Then, it's 3 years. 
> Because if you've attacked and been banned for 2 hours, 2 days, 14 days, then 
> 90 days, that means you've attacked me 4 times in a period of 3.5 months - 
> you're a bad guy.
> 
> Here is what that section of my jail.local looks like:
> 
> bantime = 7200
> bantime.increment = true
> 
> # the variable hour is set earlier in the file - I use variables to set lots 
> of different time periods, so it is easier to understand the config
> bantime.rndtime = %(hour)s
> .
> bantime.factor = 1
> 
> # I don't know if I need this but it's there anyway
> bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * 
> banFactor
> 
> # this is 2 days, 14 days, 90 days etc multiplied with a starting ban time of 
> 2 hours
> bantime.multipliers = 1 24 168 1080 2184 4380 12000 24000
> 
> # I do this cos I have a jail for fast attacks - bots that hit me dozens of 
> times a second, as well as a jail for specific types of bots
> # so depending on which jail they hit first, they might be banned by 
> different jails at different times
> bantime.overalljails = true
> 
> I use a home-baked script to send me detailed emails about this. Here's part 
> of it (it's copied and pasted html so it might not look the way it should - 
> if you're interested, the links would take you to an unban script that anyone 
> can access but is extremely locked down and can only be run from the 
> back-end):
> 
> Hi Tony
> 
> The IP 42.236.10.81 has just been banned by Fail2Ban after 1 attempt against 
> crawlers. This IP has been banned 4 times and is now a multiple offender.
> 
> Similar banned IPs
> 42.236.10.82 crawlers 29-03-2018 14 days, 13-04-2018 17:03:33)
> 42.236.10.84 crawlers 03-04-2018 14 days, 17-04-2018 19:14:45)
> 42.236.10.109 crawlers 27-03-2018 14 days, 11-04-2018 13:15:37)
> 42.236.10.110 crawlers 04-04-2018 14 days, 18-04-2018 17:25:03)
> 42.236.10.113 crawlers 01-04-2018 14 days, 15-04-2018 11:18:14)
> 42.236.10.114 crawlers 05-04-2018 14 days, 19-04-2018 09:04:45)
> 42.236.12.150 crawlers 29-03-2018 14 days, 12-04-2018 23:39:09)
> 42.236.46.85 crawlers 28-03-2018 14 days, 12-04-2018 03:07:17)
> 
> Previous bans
> 16-03-2018 15:50:21 [crawlers] Ban
> 16-03-2018 17:50:20 [crawlers] Unban
> 17-03-2018 14:16:50 [crawlers] Ban
> 19-03-2018 20:06:08 [crawlers] Unban
> 24-03-2018 21:25:22 [crawlers] Ban
> 08-04-2018 14:24:25 [crawlers] Unban
> 10-04-2018 04:46:49 [crawlers] Ban
> 
> Ban increments
> 17-03-2018 [crawlers] Increase Ban (2: 2 days, 19-03-2018 20:06:08) 
> 24-03-2018 [crawlers] Increase Ban (3: 14 days, 08-04-2018 14:24:23) 
> 10-04-2018 [crawlers] Increase Ban (4: 90 days, 09-07-2018 05:21:36) 
> 
> 
> 
> 
> Tony Collins
> 
> 
> On 31 March 2018 at 15:19, Palvelin Postmaster via Fail2ban-users 
> <fail2ban-users@lists.sourceforge.net> wrote:
> Are the various multiplier settings documented somewhere?
> 
> Examples would be very welcome too. Isn’t that what this list is for? :)
> 
> 
> > On 30 Mar 2018, at 14:46, Tony Collins <t...@evilplan.org.uk> wrote:
> >
> > Hi!
> >
> > It's really configurable: there's a basic on/off setting, but you can also 
> > tell it how much to increase by each time, and you can set either simple or 
> > aggressive formulae.
> >
> > This is one of the settings for the multiplier:
> >
> > bantime.multipliers = 1 2 16 90 182 365 1000 2000
> >
> > That shows how aggressively it will increase the bantime. In example above, 
> > my bantime of 86400 (1 day) will ban a persistent offender for 1 day, 2 
> > days, 16 days etc. You can configure it in a really granular way if you 
> > manipulate the ban time with the multiplier.
> >
> > In terms of purging, yes I'm talking about dbpurgeage. Until 0.10 or 0.11 
> > that setting didn't actually do anything. No function was ever written to 
> > purge the DB.
> >
> > Now it works; it does purge after dbpurgeage. So I set my purge age to 2 
> > years, so that it remembers long-time bans. But that's because my 
> > multiplier eventually bans bad IPa for a year or more.
> >
> > The purge age amount depends on what sort of ban times you set.
> >
> > If you want to discuss more specific examples, I can show you how I'm using 
> > it.
> >
> > It's honestly improved f2b by ten times for me - the recidive jail never 
> > quite worked for me because it was not very configurable, but now we have 
> > an ability to generate longer and longer ban times, so Fail2Ban really 
> > feels even more useful.
> >
> > Tony
> >
> > On Fri, 30 Mar 2018 at 11:31, Palvelin Postmaster via Fail2ban-users 
> > <fail2ban-users@lists.sourceforge.net> wrote:
> >
> >
> > > On 15 Mar 2018, at 12:00, Tony Collins <t...@evilplan.org.uk> wrote:
> > >
> > > One other thing: the 0.11.x version of f2b has a ban time "multiplier", 
> > > which is just fantastic - if the same IP keeps getting banned, f2b 
> > > automatically increases the ban time. To do that you need a long 
> > > 'purgeage' setting (so it can remember that an IP was banned a few months 
> > > ago), and again once you use f2b to manage your blocks, it can just take 
> > > care of everything - you never need to use iptables commands for 
> > > unblocking, because f2b 0.11.x manages ban times so much more effectively 
> > > and logically. F2b has always managed bans and unbans pretty well, but 
> > > there's been some really excellent polish applied to recent versions.
> >
> > Is the ’multiplier’ applied automatically or is there a setting?
> >
> > I presumw by ’purgeable’ you refer the dbpurgeage setting. Where should one 
> > ideally set it in regards to the new automatically increasing ban time?
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > --
> > -- Tony Collins
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! 
> > http://sdm.link/slashdot_______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot_______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Palvelin.fi Hostmaster
postmas...@palvelin.fi


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to