Re: [Fail2ban-users] fail2ban taking to much time to ban IP

Fri, 28 Jun 2019 21:32:29 -0700 

conntrack tracks UDP.  Try running:
conntrack -L | grep udp

Bill

On 6/28/2019 9:04 AM, BASSAGET Cédric wrote:

Hello Bill,
would that apply to UDP traffic ? I think it does not as UDP is stateless

Regards

Le ven. 28 juin 2019 à 14:43, Bill Shirley <bshir...@openmri-scottsboro.com 
<mailto:bshir...@openmri-scottsboro.com>> a écrit :

    Some attacks open up tens, if not hundreds, of connections at one time.  I 
think fail2ban
    works by blocking *new* connections and since these connections are already 
initiated
    they don't get banned.

    You could limit the number of simultaneous connections with iptables.  
Something like:
    ACCEPT     tcp  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 
<http://0.0.0.0/0> multiport dports 25,465,587 limit:
    up to 10/min burst 4 mode srcip

    Bill

    On 6/28/2019 8:25 AM, BASSAGET Cédric wrote:

    Hello
    I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to 
detect tthat an IP address has to be banned and ban it

    Here's my fail2ban.log (truncated) :
    2019-06-28 14:10:30,253 fail2ban.filter [24709]: INFO    [asterisk] Found 
91.121.2.x
    ........ about 3000 same entries .....
    2019-06-28 14:12:10,614 fail2ban.filter [24709]: INFO    [asterisk] Found 
91.121.2.x
    2019-06-28 14:12:12,092 fail2ban.actions  [24709]: NOTICE  [asterisk] Ban 
91.121.2.x

    in jail.conf I have findtime=600 and maxretries=3. So ban action should be 
triggered really more quickly.

    Lines

    Any idea about what can be wrong ?
    I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and 
jail config.

    Regards,
    Cédric


    _______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net  
<mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users

    _______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to