Catching slow scans and attacks

Antworten
gnutella
Beiträge: 7
Registriert: 4. Mär 2016, 19:42

Catching slow scans and attacks

Beitrag von gnutella » 7. Mär 2016, 19:18

Dear all,

I am looking at logs and notice that a lot attacks happen "slowly", i.e. one per hour and probably using different IPs.
What would you suggest to catch those slow attacks?

I have a feeling that attackers understand that we are using fail2ban with default setting.

Do you think it would be possible to catch abuse with maxretry = 1 and submit with recidive and maxretry = 3?

Kind regards,
Gnutella

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Catching slow scans and attacks

Beitrag von Martin » 8. Mär 2016, 20:07

Hello Gnutella,

you can set "findtime" for the Jail higher like:
bandtime = 86400
findtime = 7200
logpath = xxx
....
Then Fail2Ban locks int he Logs 7200 Seconds back (2 Hours) and when the maxretry (3) match, he blocks and reports.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

gnutella
Beiträge: 7
Registriert: 4. Mär 2016, 19:42

Re: Catching slow scans and attacks

Beitrag von gnutella » 10. Mär 2016, 01:11

Good idea, I am trying that, thank you.

Antworten