Fail2ban: bantime implementation philosophy

Created on 11 Feb 2018  路  3Comments  路  Source: fail2ban/fail2ban

This is feature request / change in bantime design philosophy(?).

I have been using wail2ban recently on my Windows VPS and it has struck me that the way the author has implemented the bantime was rather inspired.

The author uses a time to ban to the power of the number of times the IP has been banned. This negates the need for a fail2ban or recidive jail because the bantimes become progressively longer.

i.e. Bantime set at 5 (minutes)
First ban is 5^1 = 5 min
Second Ban is 5^2 = 25 min
Third Ban is 5^3 = 125 min
Fourth Ban is 5^4 = 625 min
and so on.

The only issue with this methodology is that it requires a "bannedips" file with a counter as opposed to the current scan the logs means of determining who gets banned.

implemented-in-newer-version
Source
picture KiwiMorpheus

Most helpful comment

This is already implemented in 0.11 (from #1460), see jail.conf for example https://github.com/fail2ban/fail2ban/blob/681bc2ef07ebdf749ccef624d8d598de42b0c6b6/config/jail.conf#L47-L49

Please note that because the botnets relative easy could determine your ban-settings, this affects failure counters (meant maxretry) also (if bantime.increment allowed):

  • before first ban the IP should do 5 maxretry failed attempts inside findtime, to be banned;
  • after unban, it is known as "bad", so for next ban 3 attempts are enough;
  • next time 2 attempts only;
  • each next time will be banned immediately (already by 1 attempt)

The "bad" indicator is reset, if IP will be removed from database (manual unban or after triple time of the last ban, if no failures anymore), example:

  • ip was banned for 1 day. It will be removed at the earliest in 3 days;
  • ip was banned May 01 00:00:00 for 12 hours. It will be removed after May 02 12:00:00.

For example of the config, see https://github.com/fail2ban/fail2ban/issues/1791#issuecomment-303343075

picture sebres on 12 Feb 2018
👍4

All 3 comments

This is already implemented in 0.11 (from #1460), see jail.conf for example https://github.com/fail2ban/fail2ban/blob/681bc2ef07ebdf749ccef624d8d598de42b0c6b6/config/jail.conf#L47-L49

Please note that because the botnets relative easy could determine your ban-settings, this affects failure counters (meant maxretry) also (if bantime.increment allowed):

  • before first ban the IP should do 5 maxretry failed attempts inside findtime, to be banned;
  • after unban, it is known as "bad", so for next ban 3 attempts are enough;
  • next time 2 attempts only;
  • each next time will be banned immediately (already by 1 attempt)

The "bad" indicator is reset, if IP will be removed from database (manual unban or after triple time of the last ban, if no failures anymore), example:

  • ip was banned for 1 day. It will be removed at the earliest in 3 days;
  • ip was banned May 01 00:00:00 for 12 hours. It will be removed after May 02 12:00:00.

For example of the config, see https://github.com/fail2ban/fail2ban/issues/1791#issuecomment-303343075

sebres picture sebres on 12 Feb 2018
👍4

@sebres since 0.11 isn't officially released yet, is this also available on 0.10.x?

aandis picture aandis on 2 Aug 2018

Nope. Unfortunately.

sebres picture sebres on 2 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xtrmbuster picture xtrmbuster  路  3Comments
thereporter42 picture thereporter42  路  7Comments
Vagrantin picture Vagrantin  路  4Comments
4Syno picture 4Syno  路  6Comments
TOPUSER picture TOPUSER  路  8Comments