Thanks Tony, you’re awesome! :)
> On 10 Apr 2018, at 15:35, Tony Collins <t...@evilplan.org.uk> wrote: > > They don't seem to be well documented yet. The formula seems quite complex in > some ways. But if I'm reading the config file properly, you've got various > options for how you set it up. > > I'll paste in what's in the basic conf file then explain what I do. > > standard conf that comes with jail.conf > > # "bantime.increment" allows to use database for searching of previously > banned ip's to increase a > # default ban time using special formula, default it is banTime * 1, 2, 4, 8, > 16, 32... > #bantime.increment = true > > # "bantime.rndtime" is the max number of seconds using for mixing with random > time > # to prevent "clever" botnets calculate exact time IP can be unbanned again: > #bantime.rndtime = > > # "bantime.maxtime" is the max number of seconds using the ban time can reach > (don't grows further) > #bantime.maxtime = > > # "bantime.factor" is a coefficient to calculate exponent growing of the > formula or common multiplier, > # default value of factor is 1 and with default value of formula, the ban > time > # grows by 1, 2, 4, 8, 16 ... > #bantime.factor = 1 > > # "bantime.formula" used by default to calculate next value of ban time, > default value bellow, > # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, > 32... > #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * > banFactor > # > # more aggressive example of formula has the same values only for factor "2.0 > / 2.885385" : > #bantime.formula = ban.Time * > math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) > > # "bantime.multipliers" used to calculate next value of ban time instead of > formula, coresponding > # previously ban count and given "bantime.factor" (for multipliers default is > 1); > # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban > count greater as multipliers count, > # always used last multiplier (64 in example), for factor '1' and original > ban time 600 - 10.6 hours > #bantime.multipliers = 1 2 4 8 16 32 64 > # following example can be used for small initial ban time (bantime=60) - it > grows more aggressive at begin, > # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, > 1 hour, 5 hour, 12 hour, 1 day, 2 day > #bantime.multipliers = 1 5 30 60 300 720 1440 2880 > > # "bantime.overalljails" (if true) specifies the search of IP in the database > will be executed > # cross over all jails, if false (dafault), only current jail of the ban IP > will be searched > #bantime.overalljails = false > > If I'm understanding this correctly, I can change the formula, or I can > change the multiplier - I *think* either way is acceptable as a way of > calculating what the increase should be, > > Here is my config, from my jail.local > > 1) My DB has a purge age of a few years. At the moment, in versions before > 0.10, the DB never gets purged. But it's been fixed and it does now purge. If > you want to be able to ban things for a long time using multipliers, you'll > need a long purge age - because f2b decides whether something should be > classed as "bad" and therefore have its ban time lengthened by whether it's > in the database. If the database has been purged, the IP address might've > been removed. > > At this stage I don't know whether a 2-year-long purge age will result in all > my disk space being used or whether it will cripple f2b's database usage. > I'll report back! > > 2) My bantime starts at 7200 - 2 hours. I chose this on the basis that most > attacks seem to be one-offs, and now that I can multiple ban times it makes > sense to unban one-off offenders after a few hours. They will likely have > stopped trying to attack me. If they come back, their ban will be increased. > > 3) My multiplier is odd: It's 2 days, 14 days, 90 days, then 3 years. Why? > Because sometimes an IP address will attack just for a few days or a few > weeks before the IP address owner realises their machine has been hijacked. > So, you get a few chances to mend your ways. After 14 days, you're probably > just a bad IP, so you get banned for 90 days. But because people change their > hosting sometimes, I give you a chance after 90 days. Then, it's 3 years. > Because if you've attacked and been banned for 2 hours, 2 days, 14 days, then > 90 days, that means you've attacked me 4 times in a period of 3.5 months - > you're a bad guy. > > Here is what that section of my jail.local looks like: > > bantime = 7200 > bantime.increment = true > > # the variable hour is set earlier in the file - I use variables to set lots > of different time periods, so it is easier to understand the config > bantime.rndtime = %(hour)s > . > bantime.factor = 1 > > # I don't know if I need this but it's there anyway > bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * > banFactor > > # this is 2 days, 14 days, 90 days etc multiplied with a starting ban time of > 2 hours > bantime.multipliers = 1 24 168 1080 2184 4380 12000 24000 > > # I do this cos I have a jail for fast attacks - bots that hit me dozens of > times a second, as well as a jail for specific types of bots > # so depending on which jail they hit first, they might be banned by > different jails at different times > bantime.overalljails = true > > I use a home-baked script to send me detailed emails about this. Here's part > of it (it's copied and pasted html so it might not look the way it should - > if you're interested, the links would take you to an unban script that anyone > can access but is extremely locked down and can only be run from the > back-end): > > Hi Tony > > The IP 42.236.10.81 has just been banned by Fail2Ban after 1 attempt against > crawlers. This IP has been banned 4 times and is now a multiple offender. > > Similar banned IPs > 42.236.10.82 crawlers 29-03-2018 14 days, 13-04-2018 17:03:33) > 42.236.10.84 crawlers 03-04-2018 14 days, 17-04-2018 19:14:45) > 42.236.10.109 crawlers 27-03-2018 14 days, 11-04-2018 13:15:37) > 42.236.10.110 crawlers 04-04-2018 14 days, 18-04-2018 17:25:03) > 42.236.10.113 crawlers 01-04-2018 14 days, 15-04-2018 11:18:14) > 42.236.10.114 crawlers 05-04-2018 14 days, 19-04-2018 09:04:45) > 42.236.12.150 crawlers 29-03-2018 14 days, 12-04-2018 23:39:09) > 42.236.46.85 crawlers 28-03-2018 14 days, 12-04-2018 03:07:17) > > Previous bans > 16-03-2018 15:50:21 [crawlers] Ban > 16-03-2018 17:50:20 [crawlers] Unban > 17-03-2018 14:16:50 [crawlers] Ban > 19-03-2018 20:06:08 [crawlers] Unban > 24-03-2018 21:25:22 [crawlers] Ban > 08-04-2018 14:24:25 [crawlers] Unban > 10-04-2018 04:46:49 [crawlers] Ban > > Ban increments > 17-03-2018 [crawlers] Increase Ban (2: 2 days, 19-03-2018 20:06:08) > 24-03-2018 [crawlers] Increase Ban (3: 14 days, 08-04-2018 14:24:23) > 10-04-2018 [crawlers] Increase Ban (4: 90 days, 09-07-2018 05:21:36) > > > > > Tony Collins > > > On 31 March 2018 at 15:19, Palvelin Postmaster via Fail2ban-users > <fail2ban-users@lists.sourceforge.net> wrote: > Are the various multiplier settings documented somewhere? > > Examples would be very welcome too. Isn’t that what this list is for? :) > > > > On 30 Mar 2018, at 14:46, Tony Collins <t...@evilplan.org.uk> wrote: > > > > Hi! > > > > It's really configurable: there's a basic on/off setting, but you can also > > tell it how much to increase by each time, and you can set either simple or > > aggressive formulae. > > > > This is one of the settings for the multiplier: > > > > bantime.multipliers = 1 2 16 90 182 365 1000 2000 > > > > That shows how aggressively it will increase the bantime. In example above, > > my bantime of 86400 (1 day) will ban a persistent offender for 1 day, 2 > > days, 16 days etc. You can configure it in a really granular way if you > > manipulate the ban time with the multiplier. > > > > In terms of purging, yes I'm talking about dbpurgeage. Until 0.10 or 0.11 > > that setting didn't actually do anything. No function was ever written to > > purge the DB. > > > > Now it works; it does purge after dbpurgeage. So I set my purge age to 2 > > years, so that it remembers long-time bans. But that's because my > > multiplier eventually bans bad IPa for a year or more. > > > > The purge age amount depends on what sort of ban times you set. > > > > If you want to discuss more specific examples, I can show you how I'm using > > it. > > > > It's honestly improved f2b by ten times for me - the recidive jail never > > quite worked for me because it was not very configurable, but now we have > > an ability to generate longer and longer ban times, so Fail2Ban really > > feels even more useful. > > > > Tony > > > > On Fri, 30 Mar 2018 at 11:31, Palvelin Postmaster via Fail2ban-users > > <fail2ban-users@lists.sourceforge.net> wrote: > > > > > > > On 15 Mar 2018, at 12:00, Tony Collins <t...@evilplan.org.uk> wrote: > > > > > > One other thing: the 0.11.x version of f2b has a ban time "multiplier", > > > which is just fantastic - if the same IP keeps getting banned, f2b > > > automatically increases the ban time. To do that you need a long > > > 'purgeage' setting (so it can remember that an IP was banned a few months > > > ago), and again once you use f2b to manage your blocks, it can just take > > > care of everything - you never need to use iptables commands for > > > unblocking, because f2b 0.11.x manages ban times so much more effectively > > > and logically. F2b has always managed bans and unbans pretty well, but > > > there's been some really excellent polish applied to recent versions. > > > > Is the ’multiplier’ applied automatically or is there a setting? > > > > I presumw by ’purgeable’ you refer the dbpurgeage setting. Where should one > > ideally set it in regards to the new automatically increasing ban time? > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- > > -- Tony Collins > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! > > http://sdm.link/slashdot_______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot_______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Palvelin.fi Hostmaster postmas...@palvelin.fi ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users