#39 ssh: reset counter when success login happen


One of the problem that I get into is that when a ssh starts it tries different authentication method publickey, keyboad-interactive). All this method increase the ``TryCount'' for a specific IP. Which is actually a good thing. But what I'd like to have is a ``ResetWhenSucceed'' option, which will reset the ``TryCount'' when a connection succeed.

To be more explicit, let me give you a small scenario:
maxretry = 2

someone id doing some scp from his machine:
scp foo1.file host_with_fail2ban:
- 1st auth. method publickey failed then
TryCount increase to 1
- 2nd auth. method (password) then TryCount = 1
then the foo1.file is copied to host_with_fail2ban:


then he is doing an other scp
scp foo2.file host_with_fail2ban:
- 1st auth. method (publickey) then
TryCount increase to 2
aaaarrhh TryCount = 2 then your are banned !!!

I've found an ugly workaround:
This was quite easy since I use tcpwrapper.

The idea is to create an other jail witch will ban people who had a successful login (Don't forget to put maxretry = 1). This Jail will create an /etc/hosts.to_unban

And the normal jail, which ban people having too much unsuccessfull login will create the file /etc/hosts.to_ban.

Then I've put in a crontab launched every minute (I know that this is slow), a script which will create /etc/hosts.deny by doing:
uniq /etc/hosts.to_unban | \ cut -d ' ' -f2 | \ sed 's/$/$/g;s/^/ /g' | \ grep -v -f - /etc/hosts.to_ban | \ uniq > /etc/hosts.deny
which remove to ban successfull ip adress

P.-S.Excellent Job this fail2ban


  • Ric Anderson
    Ric Anderson

    I really need this feature as well. Almost every ssh and vsftp login produces a failure message (trying /etc/passwd) and then succeeds against AD. The only exception seems to be the handful of users who actually have local accounts.