4

I tried searching for this; I found many people asking but I wasn't successfully to find a working (for me) solution.

I have an application that logs each connection on a custom log file.

When fail2ban detect more than 10 connections in 5 second from the same ip it ban the "attacker" for 600 second.

It happens that the attacker can make 11/20 connections before getting banned (and that's ok).

After that i get xxx.xxx.xxx.xxx already banned messages in fail2ban.log for each line > 11. There is one of those message each second; it's like fail2ban take 1 seconds for each of the log lines with the same IP after the ban.

But in the meantime I have another attacker from another IP and he successfully connects more times (i.e 50) because fail2ban is analyzing the log's lines from the previous IP (1 per second).

And so on... While fail2ban processes past log's lines new attackers make thousands of connections. That's incremental and only first few attackers get banned.

I have fail2ban NOW analyzing lines that were from connections made 1 or more hours before.

sebix
  • 4,175
  • 2
  • 25
  • 45
Ivan Maria Spadacenta
  • 41
  • 4
  • fail2ban is a horrible piece of software, extremely bad reaction times, very strange date and time conversion issues on UTC servers. I recommend developing something similar yourself, it can be done in 20 lines of code (instead of the 20000 of fail2ban) – John Aug 11 '17 at 19:33
  • Reading of files has used an inotify mechanism rather than a polling based read mechanisms since introduced in ~2013. Perhaps state the version used. And date parsing was really hard and has undergone significant rework in 2014 and beyond. – danblack Sep 09 '18 at 01:55

0 Answers0