Escalating bantime is a feature in v0.11. Unfortunately not available in v0.10 or earlier.
However, you could use a looped version of the recidive jail -- see the following for an example (though it will likely need to be modified, perhaps significantly, for your specific setup): https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/ I'm working to implement this looping jail on my CentOS 7 + fail2ban 0.9.7 system and will post back here once I get a working setup. (Note that CentOS package maintainers do have v0.10 available through COPR: https://bugzilla.redhat.com/show_bug.cgi?id=1588026#c6) Cheers. --- Amir > On Jun 4, 2019, at 1:11 PM, Mark Costlow <che...@swcp.com> wrote: > > The "recidive" jail is also useful for this. We use it a variety of > places, most commonly it's set to ban for 1 week. The really > persistent IPs stay banned almost all the time, and just get a > couple of attempts per week. > > An escalating ban time would be more flexible, but recidive is a > useful stop-gap. > > Mark > > > On Tue, Jun 04, 2019 at 05:38:03PM +0100, Nick Howitt wrote: >> I ban /24 subnets in a postfix jail where there is no reverse DNS (PTR) >> record. Typically this is for users on dynamic IP's, so if one is >> dynamic or has no PTR record I assume the whole /24 subnet is the same. >> I also throw into this any /24 subnet from dynamic.163data.com.cn as >> they are dynamic but have a PTR record and are a PITA. >> >> To do this I use an ipset jail with a type hash:net and feed it the >> <host>/24, and I rely on ipset controlling the timeout so there is no >> actionunban. >> >> Nick >> >> On 04/06/2019 16:39, Andy Howell wrote: >>> The attackers I see are persistent. When the ban expires, they >>> continue their attack. >>> >>> I would like to have an escalating ban time for repeat offenders. >>> Another factor that could play into it is the number of attacking >>> hosts from the same ISP. Having the ban time be a bit of python code >>> instead of an integer would allow flexible methods for determining ban >>> time.?? Yet another factor could be the history of attack from an ISP. >>> Bad ISPs would be banned longer. Any thoughts on this? >>> >>> Today I see 19 hosts from: >>> >>> GB 45.13.39.0/24 >>> HK 45.125.65.0/24 >>> IE 185.234.216.0/24 >>> IE 185.234.218.0/24 >>> LT 141.98.10.0/24 >>> LT 185.36.81.0/24 >>> NL 185.137.111.0/24 >>> NL 185.222.209.0/24 >>> >>> No Chinese today. Usually they are predominate. >>> >>> Thanks, >>> >>> Andy >>> >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fail2ban-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> > > -- > Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 > che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
