• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Fail2ban setting findtime per Jail

R

RubénN

New Pleskian
Hi,
sorry for my bad english

In Fail2ban (great idea to include it in plesk!) settings you can set "Time interval for detection of subsequent attacks" (findtime) in general. But it would be interesting this setting per Jail.
Why?
you could have 2 jail with same filter but different findtime. Example:
Jail 1) 5 failures in 600 seconds: 1800 seconds ban
Jail 2) 30 failures in 86400 seconds: 604800 seconds ban

There are bots that detect if you have some protection fail2ban or similar and it will adapt, login attempt every 300 seconds for example. Jail 1 no detect this attack, but Jail 2 yes.

See the example, live time :) :
[root@--------- log]# cat /var/log/maillog | grep 'warning: ---------'
Jul 14 07:10:54 --------- postfix/smtpd[5482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 07:54:16 --------- postfix/smtpd[4782]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 08:37:18 --------- postfix/smtpd[7826]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 09:20:05 --------- postfix/smtpd[9267]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 10:03:43 --------- postfix/smtpd[10348]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 10:47:04 --------- postfix/smtpd[11977]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 11:30:31 --------- postfix/smtpd[13584]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 12:14:15 --------- postfix/smtpd[15014]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 12:58:38 --------- postfix/smtpd[16351]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 13:43:37 --------- postfix/smtpd[18112]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 14:27:24 --------- postfix/smtpd[19587]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 15:10:43 --------- postfix/smtpd[21282]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 15:53:45 --------- postfix/smtpd[22192]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 16:37:05 --------- postfix/smtpd[23482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 17:20:54 --------- postfix/smtpd[24760]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 18:03:46 --------- postfix/smtpd[25508]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 18:46:45 --------- postfix/smtpd[26755]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 19:29:44 --------- postfix/smtpd[28071]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 20:12:58 --------- postfix/smtpd[29268]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 20:56:20 --------- postfix/smtpd[30174]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 21:39:09 --------- postfix/smtpd[31518]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 22:21:23 --------- postfix/smtpd[519]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 23:03:46 --------- postfix/smtpd[1345]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 23:45:52 --------- postfix/smtpd[2404]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 00:28:44 --------- postfix/smtpd[3436]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 01:10:43 --------- postfix/smtpd[30571]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 01:52:53 --------- postfix/smtpd[32239]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 02:35:11 --------- postfix/smtpd[2059]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:17:02 --------- postfix/smtpd[4835]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:59:53 --------- postfix/smtpd[7154]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
 
Hi omexlu,

pls. consider to use the RECIDIVE jail. It has been invented just for that special reason! ;)
 
UFHH01 said:
Hi omexlu,

pls. consider to use the RECIDIVE jail. It has been invented just for that special reason! ;)
Click to expand...

Hi, and how i don't really understand how to implement that in my jail:
Code: 
[http-ddos-custom]
enabled = true
filter = http-ddos-custom
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="XXX", sender="fail2ban@XXX", sendername="Fail2Ban", name="http-ddos-custom"]
logpath = /var/www/vhosts/*/logs/access_ssl_log
/var/www/vhosts/*/logs/access_log
maxretry = 300

I want here a lower findtime that the global setting?

Filter:
Code: 
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =
 
Hi omexlu,

did you consider to READ the Fail2Ban - documentation? It states pretty clear:
Jail Options
Every jail can be customized by tuning following options:

filter Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath /var/log/messages Path to the log file which is provided to the filter
maxretry 3 Number of matches (i.e. value of the counter) which triggers ban action on the IP.
findtime 600 sec The counter is set to zero if no match is found within "findtime" seconds.
bantime 600 sec Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.
Click to expand...

 
UFHH01 said:
Hi omexlu,


correct. ;)
Click to expand...

Ok thank you i will do that :)

But i have make on test trought a webproxy the IP was blocked and showed in iptables -L but still can reload the website.

Something wrong here:
Code: 
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
 
Hi omexlu,

pls. stick to the threads topic/initial post and open a NEW thread with issues/problems/questions NOT related to the threads initial post. ;)
 
@RubénN and @Pascal_Netenvie

In response to this entire thread, started with

RubénN said:
Hi,
.......
There are bots that detect if you have some protection fail2ban or similar and it will adapt, login attempt every 300 seconds for example. Jail 1 no detect this attack, but Jail 2 yes.

See the example, live time :) :
[root@--------- log]# cat /var/log/maillog | grep 'warning: ---------'
Jul 14 07:10:54 --------- postfix/smtpd[5482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
......
Jul 15 03:59:53 --------- postfix/smtpd[7154]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Click to expand...

I can state that it is possible to set the findtime PER JAIL.

One can add the variable findtime to jail.local on a per jail basis.

Do not forget to restart Fail2Ban.

Also note that it is "best practice" to stop Fail2Ban before editing jail.local manually, since the (new) start of Fail2Ban will reread all of the relevant logs: this will (in most cases) also block the bad IPs that have been missed before.

Hope the above helps!

Regards.........
 
You must log in or register to reply here.

Similar threads

A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
380
Peter Debik
P
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
555
PeterKi
P
U
Resolved fail2ban plesk-postfix jail and filter configuration
Replies
2
Views
2K
ufreier
U
B
Resolved no SASL authentication mechanisms
2
Replies
21
Views
4K
bork
B
X
Issue SASL LOGIN authentication failed: authentication failure
Replies
4
Views
2K
Peter Debik
P
Back
Top