-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FR]: Suggestion for a recidive FOUND filter (Double Tap) #3473
Comments
Recidive filter is a rudiment (because of Regarding the suggested filter, it is few accurate (due to catch-all). Better replace - failregex = ^%(__prefix_line)s(?:\s*fail2ban\.filter\s*%(__pid_re)s?:\s+)?INFO\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Found\s+<HOST>.*$
+ failregex = ^%(__prefix_line)s(?:\s*fail2ban\.filter\s*%(__pid_re)s?:\s+)?INFO\s+\[(?!%(_jailname)s\])[^\]]+\]\s+Found\s+<ADDR> |
Thanks for your improvement tips. I am not referring to the punishment of found IPs. I apply the bantime.increment feature by default. It is about detecting IPs that mostly access a resource via double tap. Usually these are several IPs from one subnet, which indicates a botnet. By default 5 accesses (maxretry) per 10 minutes (findtime) are the limit. If more than 5/10, then the jail takes effect. However, these IPs access 1-4 times per 10 minutes. If now 1/10 (maxretry=1, findtime=10m) is set, the service (e.g. SSH) is no longer manageable. One wrong password (people make mistakes) and you lock yourself. These suspicious IPs access several 10 times a day and so they move under the radar for weeks/months. There are even several 100s to 1000s events together. From my point of view, the recidive approach is suitable to evaluate the 24h situation again, which the view of 10 minutes does not do without losing the usability of the service. I got the tips. Thank you. :) This issue can be closed. |
By default, the Jail threshold is 5 events in 10 minutes. A further reduction of the trigger rate (matches per time) makes no sense. The usability suffers.
Since quite some time I regularly notice double tap events in my logs. These double-tap events occur every few minutes and are caused by several IPs that are probably part of botnets. Thus, these events are below the radar. Many pennies make a dollar. At least the server signals: I’m watching you.
The recidive-filter searches the fail2ban.log for BAN events.
Below is a filter suggestion for the interested community that looks for FOUND events instead:
/etc/fail2ban/filter.d/recidive-found.local
The appropriate jail config:
/etc/fail2ban/jail.d/recidive-found.local
With respect to the recidive-filter maybe there will be an option to log the filter queries to a 'queries.log' instead to the 'fail2ban.log' in order not to build loops during debugging.
Thank you. I appreciate your work. :)
Environment:
Service, project or product which log or journal should be monitored
Log or journal information
Any additional information
na
Relevant lines from monitored log files:
failures in sense of fail2ban filter (fail2ban must match):
The text was updated successfully, but these errors were encountered: