Blocking regardless of findtime

[hack3rcon]

Hello,
Hello,
How can I block someone who has entered the wrong password three times in any given time period?

Thanks.

[sebres]

The answer for this blurred question can only be RTFM...
The hints are maxretry = 3 and findtime = N (if the emphasis is approximately on how to configure the jail to cause a ban after 3 attempts in time N).
If the emphasis is rather on how to made a new jail for some (unknown) service X, which logs to log/journal Y with some (unknown) message after wrong password, then the answer cannot be given due to many unknowns.

[sebres]

If it is rather about your own application you write, it can be also done with fail2ban-client interface or fail2ban protocol.
See #2559 (comment) for an example.

[sebres]

Just noticed the subject - "Blocking regardless of findtime".
So the emphasis of question seems to be on regardless of findtime.

Well, it is complicated - one can surely set findtime to something large, like findtime = 1y (1 year), but...
Physically it would mean:

• any IP with a single failure (or attempt count smaller than maxretry) would be hold by fail2ban in a fail-manager list of jail for 1 year, because it'd wait for maxretry attempts from IP, so it'd disappear at the earliest 1 year after last attempt, even if that was a single accidental attempt, let alone some dynamic IP;
• that would cause that a lot of this "pending" tickets would unnecessarily increase memory usage and bother the fail-manager list unless get banned or forgotten (after 1 year);
• dynamic IPs could cause false positives

Something like findtime = 1w (1 week) or even findtime = 1d (1 day) is fully enough, normally.

Anyway by large findtime it is recommended to set maxmatches = 0 (to reduce memory usage, because it'd stop holding matched messages in memory, so may help to avoid possible OOM by good "visited" services with many attempts from different IPs), see #2402.

Also note that a restart of fail2ban will clean all current failures (fail-manager list of all jails becomes empty, and in opposite to active banned IPs, the failed attempts would not be restored from database), so findtime = 1y means 1 year back, but not earlier than a last restart. Fail2ban also knows the last position in log/journal, so even by findtime = 1y it would not jump 1 year back to rescan all the logs or journals, let alone they could be already rotated, see #2909 for details.

As an additional hint: instead of large findtime, just enable bantime.increment, so known as recidive evildoers would be banned faster and for longer time by repeated attempts after ban(s).