Thanks to everyone that replied to this. I'm still investigating. I'm
running Ubuntu, which is on 0.10.2.
I could not find a deb package for v0.11, so I started making one, using
the debian package files from 0.10.2 as a starting point. I have it
building now, but 4 of the tests fail. Is there a separate mailing list
for development? I couldn't find any.
Thanks,
Andy
On 6/4/19 3:03 PM, Amir Caspi wrote:
Escalating bantime is a feature in v0.11. Unfortunately not available
in v0.10 or earlier.
However, you could use a looped version of the recidive jail -- see
the following for an example (though it will likely need to be
modified, perhaps significantly, for your specific setup):
https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
I'm working to implement this looping jail on my CentOS 7 + fail2ban
0.9.7 system and will post back here once I get a working setup.
(Note that CentOS package maintainers do have v0.10 available through
COPR: https://bugzilla.redhat.com/show_bug.cgi?id=1588026#c6)
Cheers.
--- Amir
On Jun 4, 2019, at 1:11 PM, Mark Costlow <che...@swcp.com
<mailto:che...@swcp.com>> wrote:
The "recidive" jail is also useful for this. We use it a variety of
places, most commonly it's set to ban for 1 week. The really
persistent IPs stay banned almost all the time, and just get a
couple of attempts per week.
An escalating ban time would be more flexible, but recidive is a
useful stop-gap.
Mark
On Tue, Jun 04, 2019 at 05:38:03PM +0100, Nick Howitt wrote:
I ban /24 subnets in a postfix jail where there is no reverse DNS (PTR)
record. Typically this is for users on dynamic IP's, so if one is
dynamic or has no PTR record I assume the whole /24 subnet is the same.
I also throw into this any /24 subnet from dynamic.163data.com.cn
<http://dynamic.163data.com.cn> as
they are dynamic but have a PTR record and are a PITA.
To do this I use an ipset jail with a type hash:net and feed it the
<host>/24, and I rely on ipset controlling the timeout so there is no
actionunban.
Nick
On 04/06/2019 16:39, Andy Howell wrote:
The attackers I see are persistent. When the ban expires, they
continue their attack.
I would like to have an escalating ban time for repeat offenders.
Another factor that could play into it is the number of attacking
hosts from the same ISP. Having the ban time be a bit of python code
instead of an integer would allow flexible methods for determining ban
time.?? Yet another factor could be the history of attack from an ISP.
Bad ISPs would be banned longer. Any thoughts on this?
Today I see 19 hosts from:
GB 45.13.39.0/24
HK 45.125.65.0/24
IE 185.234.216.0/24
IE 185.234.218.0/24
LT 141.98.10.0/24
LT 185.36.81.0/24
NL 185.137.111.0/24
NL 185.222.209.0/24
No Chinese today. Usually they are predominate.
Thanks,
Andy
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975
che...@swcp.com <mailto:che...@swcp.com> | Web: www.swcp.com
<http://www.swcp.com> | Voice: +1-505-232-7992
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
