IMHO Fail2ban should have an option to enable automatic bantime, which increases each time an IP gets blocked. Other ways, an attacker could get to guess how many tries he can do in a given time and exploit your services without reaching that limit.
See http://www.sshguard.net/docs/faqs/#why-addresses-released for more info.
indeed would be a good feature to have -- any takers? ;-)
That'll be really nice feature!
I like the idea of iptables recent module..
Have the bantime start when the packets stop.
There is a filter called recidive. You simply set it to monitor fail2ban log and use it to set permanent bans for repeated offenders.
It's not exactly what you want but pretty much accomplishes the same goal and you can already use it without waiting for this functionality to be added to fail2ban.
Another vote for an option to increase ban time exponentially where the exponent is some factor >= 1.0. I suppose I could write this myself, if I understood your protocol for accepting patches.
well -- #716 is WIP for that.. but it is a bit "messy" since also has #824 in it... let me see if may be I would just finally merge 824 in ;)
Thanks, you just saved me a lot of duplication of effort. I'll be patient.
Well, I would encourage you @johnwbyrd to look through #716 and express your opinion even on specifications of the incremental bans... I still feel that that aiming at max flexibility they are a bit cumbersome but I could be convinced just to be biased ;)
but it is a bit "messy"
just a little bit :)
it Is my major branch, once not paying attention - and merged, but #824 concerns other files, therefore can be easy distinguished from ban-time-incr.
since #824 merged in master, #716 is "clean" again.
implemented in #1460