Page 1 of 1

How To Configure Fail2ban to ban bots for longer periord of time

Posted: Wed Jun 20, 2018 4:06 pm
by Chirag_Sukhala
Hi,
I was analysing my fail2ban logs and exim4 logs and found that there are multiple failed logins into SSH and mail. fail2ban ban IP after 5 max try for 10mins, but the bots continue the attack after unban.
1) How to change the default ban time from 10mins to something else.
2)How to ban IPs that were baned more than 5 times in last 24hours for longer duration like a week/month.
3)How to block dynamic IPs based on common hostname (chickenkiller.com) attacking mail.
4) Is CSF is what I am looking for? viewtopic.php?f=20&t=10209

Thank You

Re: How To Configure Fail2ban to ban bots for longer periord of time

Posted: Fri Oct 05, 2018 8:54 am
by jodumont
Hi;

generally speaking fail2ban have a filter for that the name is recidive.
fail2ban recommend to personalize fail2ban by adding your change inside a .local file; VestaCP follow this rules.

So if you add to this file /etc/fail2ban/jail.local

Code: Select all

[recidive]
enabled = true
maxretry = 5
bantime = 3600
findtime = 3600
fail2ban will look inside /var/log/fail2ban.log for banned IP
and when these one appear more than 5 time (maxretry) in a period of 3600s (findtime) it will ban it for 3600s (bantime)

note1
any non define option in /etc/fail2ban/jail.local will use the parameters define in /etc/fail2ban/jail.conf which you could look to inspire yourself

note2
the findtime and the bantime must be longer than any other bantime and findtime to be efficient.