Blocking at any time interval with 3 failed attempts

[hack3rcon]

Hello,
How do I configure Fail2Ban to block if someone enters the wrong password three times in any given time period?

Thank you.

[sebres]

How do I configure Fail2Ban to block if someone enters the wrong password three times in any given time period?

If emphasis is on given...
The short answer is - RTFM.

Basically:

maxretry = 3
findtime = 15m

(means 3 attempts in 15 minutes)

Blocking at any time interval with 3 failed attempts

If "any time interval" in title means rather not the given interval but really "any", then the answer is - it is impossible.

Fail2ban needs a fixed interval, because:

• it'd hold the ticket with IP in failure queue (in memory) for this interval (remove it if time since last attempt is larger than findtime);
• after restart it must seek to max(time_of_last_known_pos, now - findtime) in the log or journal to process new messages in log;
• the combination of maxretry and findtime helps against false positives (bans of legitimate users mad few attempts distributed over days).

And set it to something large (like 1y for 1 year) is generally not recommended:

• will unneeded waste system resources (memory/CPU) with a lot of tickets with IPs they probably never come back (dynamic IPs, etc);
• too aggressive (may ban legitimate users that made some typo by input occasionally, 3 times in a year);
• etc

Better would be to increase both (maxretry and findtime) to some plausible values (e. g. 5 and 1 to few hours) and then use bantime.increment = true (and bantime.maxtime = 5w), so recidive evildoers, repeating attempts after ban, will be banned faster (for fewer attempts) and for longer time, see table in #1460 for details.