A few questions about configuring Fail2Ban
Hello,
I have a few questions about configuring Fail2Ban: 1- The following options exist in two sections of Fail2Ban. One under [DEFAULT] section and another under the service configuration section: Code:
maxretry = 3 2- If I set the value of findtime to 1d, that means the number of times that the wrong password is entered must happen during a day? For example, 3 times in one day. 3- What is the best value of findtime to avoid brute-force attack? Thank you. |
Quote:
Quote:
Quote:
|
For what it's worth, I've found the default settings to be quite acceptable.
|
Quote:
Thank you so much for your reply. If you define findtime = 10s and maxretry = 3, then the hacker enters the password twice under 10 seconds and enters the third time in 11 seconds, then will he\she be blocked? |
Quote:
If you're looking to stop bad actors attempting to access / brute force your system, a bit of research, even reading your own log files would show that the typical attack vector is an attempt every few seconds. A typical pattern is also to try a single password and if that fails to "back off" for a few seconds then try again. From experience I find the default values are sufficient to discourage automated attempts. |
Quote:
Thanks again. I think to prevent brute-force attack, findtime value should be 1s, but as you said, the best option is to look at the SSH logs to determine the best value. How can I tell Fail2Ban to block an IP address if it enters the wrong password 3 times regardless of the time interval? |
I believe it is bantime = -1. If you actually uses password only, then short findtime will ban your users often simply because they think they type in the wrong password and they will ask but you to unban them all the time. I find setting it to a few minutes suffices. Remember, this is for brute force /well known account and passwords. It is better to just use public keys auth, or integrate one time passwords using gauth or security devices. That way, no one has a "real" password.
|
Quote:
Quote:
|
Quote:
Thank you so much for your reply. 1- So what settings do you recommend to protect against brute-force attacks? 2- I want to be blocked for one day if a person enters wrong password three times during the day. Is it possible? |
Quote:
Post #3 Quote:
Quote:
Quote:
|
Quote:
Thanks. Can you tell me how can I block someone who has entered the wrong password three times in any given time period? |
Quote:
|
These are the settings I use:
Code:
bantime = 20m I also use a non-standard port so I'm not bombarded by bots. I think in the years I've been running my server, only one person/bot was persistent enough to get a ban for several weeks before giving up. |
All times are GMT -5. The time now is 04:33 AM. |