The "recidive" jail is also useful for this. We use it a variety of places, most commonly it's set to ban for 1 week. The really persistent IPs stay banned almost all the time, and just get a couple of attempts per week.
An escalating ban time would be more flexible, but recidive is a useful stop-gap. Mark On Tue, Jun 04, 2019 at 05:38:03PM +0100, Nick Howitt wrote: > I ban /24 subnets in a postfix jail where there is no reverse DNS (PTR) > record. Typically this is for users on dynamic IP's, so if one is > dynamic or has no PTR record I assume the whole /24 subnet is the same. > I also throw into this any /24 subnet from dynamic.163data.com.cn as > they are dynamic but have a PTR record and are a PITA. > > To do this I use an ipset jail with a type hash:net and feed it the > <host>/24, and I rely on ipset controlling the timeout so there is no > actionunban. > > Nick > > On 04/06/2019 16:39, Andy Howell wrote: > > The attackers I see are persistent. When the ban expires, they > > continue their attack. > > > > I would like to have an escalating ban time for repeat offenders. > > Another factor that could play into it is the number of attacking > > hosts from the same ISP. Having the ban time be a bit of python code > > instead of an integer would allow flexible methods for determining ban > > time.?? Yet another factor could be the history of attack from an ISP. > > Bad ISPs would be banned longer. Any thoughts on this? > > > > Today I see 19 hosts from: > > > > GB 45.13.39.0/24 > > HK 45.125.65.0/24 > > IE 185.234.216.0/24 > > IE 185.234.218.0/24 > > LT 141.98.10.0/24 > > LT 185.36.81.0/24 > > NL 185.137.111.0/24 > > NL 185.222.209.0/24 > > > > No Chinese today. Usually they are predominate. > > > > Thanks, > > > > Andy > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
