Thank you for the explanation Denis. I have a follow up question...
Am I correct in observing that the default jail filters provided with fail2ban can cause multiple “hits” and therefore increment the maxretry counter multiple times for the same failed ssh login attempt? I ask because my ssh jail maxretry was set to 4, yet it banned an IP after only two unauthorized login attempts. The attacker used both an invalid username and password which caused 6 lines from ssdh to appear in the auth.log. Looking over the default ssh filters, it looks like a couple of those lines could cause matches. Best regards, John > On Jun 24, 2019, at 1:05 AM, Denis Rasulev <[email protected]> wrote: > > Hi, > > [DEFAULT] directives are effective unless overriden by specific jail > configuration items. > > In other words, it’s enough to define maxretry variable in the [DEFAULT] > section once and it will work for every jail, i.e. there is no need then to > define it in every jail. > > However, if for any specific jail you want to setup some specific value of > maxretry, you can do so! And it will have higher priority then default’s one. > > Maxretry for recidive and ssh sections could be different according to your > needs / wants. > > Regards, > > Denis _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
