I've noticed that I have a number of slow distributed attacks happening on my server which evade fail2ban by using a pool of IP addresses.
I've been looking at the sqlite db and it looks like the data field in the bips table can have all the data I need to have a supplemental script which runs periodically and looks for a "threshold number" of failed logins over a time period against the same account and bans all IPs that tried. I've already instrumented my filters with the <f-user> tags so that the account name is available in the JSON data. Has anyone tried this? I only started looking at fail2ban a few days ago. Are there any holes in the approach I'm suggesting? Steve Sent with a Spark
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
