Seite 1 von 1

Catching slow scans and attacks

Verfasst: 7. Mär 2016, 19:18
von gnutella
Dear all,

I am looking at logs and notice that a lot attacks happen "slowly", i.e. one per hour and probably using different IPs.
What would you suggest to catch those slow attacks?

I have a feeling that attackers understand that we are using fail2ban with default setting.

Do you think it would be possible to catch abuse with maxretry = 1 and submit with recidive and maxretry = 3?

Kind regards,
Gnutella

Re: Catching slow scans and attacks

Verfasst: 8. Mär 2016, 20:07
von Martin
Hello Gnutella,

you can set "findtime" for the Jail higher like:
bandtime = 86400
findtime = 7200
logpath = xxx
....
Then Fail2Ban locks int he Logs 7200 Seconds back (2 Hours) and when the maxretry (3) match, he blocks and reports.

Re: Catching slow scans and attacks

Verfasst: 10. Mär 2016, 01:11
von gnutella
Good idea, I am trying that, thank you.