One of the problem that I get into is that when a ssh starts it tries different authentication method publickey, keyboad-interactive). All this method increase the ``TryCount'' for a specific IP. Which is actually a good thing. But what I'd like to have is a ``ResetWhenSucceed'' option, which will reset the ``TryCount'' when a connection succeed.
To be more explicit, let me give you a small scenario:
maxretry = 2
someone id doing some scp from his machine:
scp foo1.file host_with_fail2ban:
- 1st auth. method publickey failed then
TryCount increase to 1
- 2nd auth. method (password) then TryCount = 1
then the foo1.file is copied to host_with_fail2ban:
[*]
then he is doing an other scp
scp foo2.file host_with_fail2ban:
- 1st auth. method (publickey) then
TryCount increase to 2
aaaarrhh TryCount = 2 then your are banned !!!
------------------------------
[Solution]
I've found an ugly workaround:
This was quite easy since I use tcpwrapper.
The idea is to create an other jail witch will ban people who had a successful login (Don't forget to put maxretry = 1). This Jail will create an /etc/hosts.to_unban
And the normal jail, which ban people having too much unsuccessfull login will create the file /etc/hosts.to_ban.
Then I've put in a crontab launched every minute (I know that this is slow), a script which will create /etc/hosts.deny by doing:
uniq /etc/hosts.to_unban | \
cut -d ' ' -f2 | \
sed 's/$/$/g;s/^/ /g' | \
grep -v -f - /etc/hosts.to_ban | \
uniq > /etc/hosts.deny
which remove to ban successfull ip adress
Ced.
P.-S.Excellent Job this fail2ban
I really need this feature as well. Almost every ssh and vsftp login produces a failure message (trying /etc/passwd) and then succeeds against AD. The only exception seems to be the handful of users who actually have local accounts.