Some attacks open up tens, if not hundreds, of connections at one time. I
think fail2ban
works by blocking *new* connections and since these connections are already
initiated
they don't get banned.
You could limit the number of simultaneous connections with iptables.
Something like:
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 limit: up to 10/min burst 4
mode srcip
Bill
On 6/28/2019 8:25 AM, BASSAGET Cédric wrote:
Hello
I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to detect
tthat an IP address has to be banned and ban it
Here's my fail2ban.log (truncated) :
2019-06-28 14:10:30,253 fail2ban.filter [24709]: INFO [asterisk]
Found 91.121.2.x
........ about 3000 same entries .....
2019-06-28 14:12:10,614 fail2ban.filter [24709]: INFO [asterisk]
Found 91.121.2.x
2019-06-28 14:12:12,092 fail2ban.actions [24709]: NOTICE [asterisk] Ban
91.121.2.x
in jail.conf I have findtime=600 and maxretries=3. So ban action should be
triggered really more quickly.
Lines
Any idea about what can be wrong ?
I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and jail
config.
Regards,
Cédric
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users