Replies: 2 comments 8 replies
-
Well, I would not say it is unusual way directly, but it may be indeed too heavy. Take a look in our wiki for Best practice as well as for filter like nginx-limit-req which would allow better suitable solution for limiting requests and banning such crawlers.
Hmm... This may be indeed an issue (as for cleanup which is indeed the major function that lets shrink a failure list, there are other routines but affecting only certain tickets). |
Beta Was this translation helpful? Give feedback.
-
There is new branch fix-rc-on-too-many-failures now (rebased from my experimental branch, where this banASAP stuff is completely removed) and it has no RC for cleanup process. |
Beta Was this translation helpful? Give feedback.
-
Hi @sebres , first off, let me thank you for the very good job you're doing with fail2ban, and for the kind support you're providing. :)
This said, I was considering to use fail2ban in a perhaps unusual way, to blindly count all requests to a web site backend, to ban the users making too many requests in a short time span (ie: malicious crawlers which copy contents, etc.).
So, such use case would essentially translate to: a moderately short findTime and a big number of failures being collected, and a small number of bans.
Being myself a developer, I tried to pinpoint the weak points of this approach, and I explored fail2ban code to check how failures were being cleaned up after going outside of the findTime time window. I can be wrong, as today is the first time I have looked at fail2ban code, but so far I have found out that the __failList in FailManager is only purged when a ban is triggered? Is this correct? If so, I'm afraid that such list could keep growing too much in my use case, and perhaps a patch would be needed.
What do you think? Can you confirm and/or do you have any suggestions/recommendations? Before deciding to try fail2ban and exploring the code, I had been searching for information on the internet and I had found some SO threads where some people suggested that fail2ban could be used this way, so maybe this could be something of general interests.
Beta Was this translation helpful? Give feedback.
All reactions