change F2B configs: made config more aggressive

[georglauterbach]

Description

Adjust F2B config. Made Postfix & Postfix-SASL more aggressive (switched mode to aggressive). Also increased bantime & findtime and reduced maxretries, as proposed in #3178.

I have been running a configuration that is even more aggressive on my personal instance, and never had any problems. I believe this change to be worthwhile and justified :)

Fixes #3178

Type of change

• Improvement (non-breaking change that does improve existing functionality)

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (README.md or the documentation under docs/)
• If necessary I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[georglauterbach]

ATTENTION: Auto-Merge is enabled :)

[casperklein]

LGTM 👍 Just two things:

For completeness and documentation: could you explain/give an example, what adding mode=aggressive does (on top) compared to not using it. "Being more aggressive" is a bit vague.

In the linked issue you mentioned a dedicated Postscreen jail. Does mode=aggressive already handle that or was there an other reason you omitted it?

PS: IMO findtime could also be 1w.

[georglauterbach]

For completeness and documentation: could you explain/give an example, what adding mode=aggressive does (on top) compared to not using it. "Being more aggressive" is a bit vague.

Does that help: https://github.com/fail2ban/fail2ban/blob/27294c4b9ee5d5568a1d5f83af744ea39d5a1acb/config/filter.d/postfix.conf#L58? It basically matches more lines. Do you want to add this to the file too?

In the linked issue you mentioned a dedicated Postscreen jail. Does mode=aggressive already handle that or was there an other reason you omitted it?

Yes: mode=aggressive already handles that.

PS: IMO findtime could also be 1w.

I took d because it's consistent with findtime 😂

[casperklein]

Does that help: fail2ban/fail2ban@27294c4/config/filter.d/postfix.conf#L58? It basically matches more lines. Do you want to add this to the file too?

Doesn't hurt I think 👍

PS: IMO findtime could also be 1w.

I took d because it's consistent with findtime 😂

You misunderstood. I meant 7d or 1w. Currently it's 1d.

[georglauterbach]

Does that help: fail2ban/fail2ban@27294c4/config/filter.d/postfix.conf#L58? It basically matches more lines. Do you want to add this to the file too?

Doesn't hurt I think 👍

👍🏼

PS: IMO findtime could also be 1w.

I took d because it's consistent with findtime 😂

You misunderstood. I meant 7d or 1w. Currently it's 1d.

Oh, I see :D I will adjust the PR.

EDIT: Done.

[github-actions]

Documentation preview for this PR is ready! 🎉

Built with commit: f79d4fb