• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Fail2ban setting findtime per Jail

RubénN

New Pleskian
Hi,
sorry for my bad english

In Fail2ban (great idea to include it in plesk!) settings you can set "Time interval for detection of subsequent attacks" (findtime) in general. But it would be interesting this setting per Jail.
Why?
you could have 2 jail with same filter but different findtime. Example:
Jail 1) 5 failures in 600 seconds: 1800 seconds ban
Jail 2) 30 failures in 86400 seconds: 604800 seconds ban

There are bots that detect if you have some protection fail2ban or similar and it will adapt, login attempt every 300 seconds for example. Jail 1 no detect this attack, but Jail 2 yes.

See the example, live time :) :
[root@--------- log]# cat /var/log/maillog | grep 'warning: ---------'
Jul 14 07:10:54 --------- postfix/smtpd[5482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 07:54:16 --------- postfix/smtpd[4782]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 08:37:18 --------- postfix/smtpd[7826]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 09:20:05 --------- postfix/smtpd[9267]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 10:03:43 --------- postfix/smtpd[10348]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 10:47:04 --------- postfix/smtpd[11977]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 11:30:31 --------- postfix/smtpd[13584]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 12:14:15 --------- postfix/smtpd[15014]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 12:58:38 --------- postfix/smtpd[16351]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 13:43:37 --------- postfix/smtpd[18112]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 14:27:24 --------- postfix/smtpd[19587]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 15:10:43 --------- postfix/smtpd[21282]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 15:53:45 --------- postfix/smtpd[22192]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 16:37:05 --------- postfix/smtpd[23482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 17:20:54 --------- postfix/smtpd[24760]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 18:03:46 --------- postfix/smtpd[25508]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 18:46:45 --------- postfix/smtpd[26755]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 19:29:44 --------- postfix/smtpd[28071]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 20:12:58 --------- postfix/smtpd[29268]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 20:56:20 --------- postfix/smtpd[30174]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 21:39:09 --------- postfix/smtpd[31518]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 22:21:23 --------- postfix/smtpd[519]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 23:03:46 --------- postfix/smtpd[1345]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 14 23:45:52 --------- postfix/smtpd[2404]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 00:28:44 --------- postfix/smtpd[3436]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 01:10:43 --------- postfix/smtpd[30571]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 01:52:53 --------- postfix/smtpd[32239]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 02:35:11 --------- postfix/smtpd[2059]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:17:02 --------- postfix/smtpd[4835]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:59:53 --------- postfix/smtpd[7154]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
 
Hi omexlu,

pls. consider to use the RECIDIVE jail. It has been invented just for that special reason! ;)
 
Hi omexlu,

pls. consider to use the RECIDIVE jail. It has been invented just for that special reason! ;)

Hi, and how i don't really understand how to implement that in my jail:
Code:
[http-ddos-custom]
enabled = true
filter = http-ddos-custom
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="XXX", sender="fail2ban@XXX", sendername="Fail2Ban", name="http-ddos-custom"]
logpath = /var/www/vhosts/*/logs/access_ssl_log
/var/www/vhosts/*/logs/access_log
maxretry = 300

I want here a lower findtime that the global setting?

Filter:
Code:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =
 
Hi omexlu,

did you consider to READ the Fail2Ban - documentation? It states pretty clear:
Jail Options
Every jail can be customized by tuning following options:


filter Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath /var/log/messages Path to the log file which is provided to the filter
maxretry 3 Number of matches (i.e. value of the counter) which triggers ban action on the IP.
findtime 600 sec The counter is set to zero if no match is found within "findtime" seconds.
bantime 600 sec Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.

 
Hi omexlu,


correct. ;)

Ok thank you i will do that :)

But i have make on test trought a webproxy the IP was blocked and showed in iptables -L but still can reload the website.

Something wrong here:
Code:
action = iptables-multiport[chain="INPUT", name="http-ddos-custom", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
 
Hi omexlu,

pls. stick to the threads topic/initial post and open a NEW thread with issues/problems/questions NOT related to the threads initial post. ;)
 
@RubénN and @Pascal_Netenvie

In response to this entire thread, started with

Hi,
.......
There are bots that detect if you have some protection fail2ban or similar and it will adapt, login attempt every 300 seconds for example. Jail 1 no detect this attack, but Jail 2 yes.

See the example, live time :) :
[root@--------- log]# cat /var/log/maillog | grep 'warning: ---------'
Jul 14 07:10:54 --------- postfix/smtpd[5482]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure
......
Jul 15 03:59:53 --------- postfix/smtpd[7154]: warning: ---------[--.--.--.---]: SASL LOGIN authentication failed: authentication failure

I can state that it is possible to set the findtime PER JAIL.

One can add the variable findtime to jail.local on a per jail basis.

Do not forget to restart Fail2Ban.

Also note that it is "best practice" to stop Fail2Ban before editing jail.local manually, since the (new) start of Fail2Ban will reread all of the relevant logs: this will (in most cases) also block the bad IPs that have been missed before.

Hope the above helps!

Regards.........
 
Back
Top