Question Fail2Ban recidive: how it work ?

[OverWolf]

Hi,

I'm on CentOS 7.3 with Plesk 17.5.3 and I'm configuring fail2ban (0.9.6) recidive to ban for 24 hours an ip. But if you look at the print-screen seems that it doesn't work as I expect.
When an IP is found for a specific jail it's banned for the period that I have configured for that event (my postfix example is banned for 2 hours) even if that IP is found as recidive.
So, what's wrong ? Am I missing something ?

Thank you

 

[OverWolf]

Hi,
i've done other tests, and probably I found the error; I've changed the interval for detection of subsequent attacks and now seems that recidive works as expected.
So, I would like to know if I understand how it works: after the max numbers of failed login attempts (ssh, ftp, postfix, etc.), the ip is ban as recidive. If it so, why the default interval of detection is so sort ?

 

[Bitpalast]

The recidive jail analyzes the fail2ban.log file. It does not directly analyze the postfix (maillog) log. Recidive counts the number of bans in the fail2ban.log.

 

[tkalfaoglu]

Beware of recidive - it can ban legitimate users for up to a week.. I just disabled mine.

 

[Bitpalast]

You can define the duration of bans using the "bantime" directive in the according recidive section of /etc/fail2ban/jail.local. You can also exclude your own IP from tests by adding it to the "ignoreip" directive.