On 02/03/2018 11:26, Roger Light wrote:
> Hi Andy,
>
> Have you considered a multilevel approach with fail2ban? Something
> like the link below increases the ban timeout for repeat offenders.
>
> http://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
Also see
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/recidive.conf
I've included the filter I use (I think I edited it) below which I call
"repeatoffender" in my setup.
Thanks
Gavin
# From
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/recidive.conf
# Fail2Ban filter for repeat bans
#
# This filter monitors the fail2ban log file, and enables you to add long
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time,
# stop receiving email notifications about the same attacker over and
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime'
parameters
# in jail.conf to a higher value than the other jails. Also, this jail
has its
# drawbacks, namely in that it works only with iptables, or if you use a
# different blocking mechanism for this jail versus others (e.g. hostsdeny
# for most jails, and shorewall for this one).
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = fail2ban\.actions\s*
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = repeatoffender
failregex = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
# Author: Tom Hendrikx, modifications by Amir Caspi
