Dear all,
I am looking at logs and notice that a lot attacks happen "slowly", i.e. one per hour and probably using different IPs.
What would you suggest to catch those slow attacks?
I have a feeling that attackers understand that we are using fail2ban with default setting.
Do you think it would be possible to catch abuse with maxretry = 1 and submit with recidive and maxretry = 3?
Kind regards,
Gnutella
Catching slow scans and attacks
Re: Catching slow scans and attacks
Hello Gnutella,
you can set "findtime" for the Jail higher like:
bandtime = 86400
findtime = 7200
logpath = xxx
....
Then Fail2Ban locks int he Logs 7200 Seconds back (2 Hours) and when the maxretry (3) match, he blocks and reports.
you can set "findtime" for the Jail higher like:
bandtime = 86400
findtime = 7200
logpath = xxx
....
Then Fail2Ban locks int he Logs 7200 Seconds back (2 Hours) and when the maxretry (3) match, he blocks and reports.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service
http://www.blocklist.de/de/ Fail2Ban Reporting Service
Re: Catching slow scans and attacks
Good idea, I am trying that, thank you.