[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fail2ban [was: howto block ssh brute-force]

Hi,


also sprach johannes weiß <weissi_ml@tux4u.de> [2006.03.13.1132 +0100]:

I use fail2ban and I'm very happy with it.


Am I correct in assuming that it simply adds rules like

  -A fail2ban_chain -s 1.2.3.4/32 -j DROP


this is the std config. But it's widely configurable (e.g.:
--- SNIP (fail2ban.conf, std config) ---
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
maxfailures = 5
bantime = 600
findtime = 600
--- SNAP ---



to iptables whenever 1.2.3.4/32 has too many login failures?
it executes "fwban" if an IP has more than "maxfailures" failures in "findtime". This ban will be removed after "bantime" seconds. 
Also configurable:
- Mail sending
- Apache (htaccess) checks
- I'm pretty sure that also other auth-log-files could be parsed(by regexp) if you want to. 



Does it expire entries?


(yes after "bantime" seconds)


Best regards,
johannes
Reply to: