#37 host is banned outside specified findtime

closed-fixed
None
5
2009-02-09
2008-07-16
Anonymous
No

Used Version: fail2ban 0.8.2
For further informations contact me at speedy(dot)200[at]gmx(dot)de

I tried to add a jail with the following time constraints:
maxRetry = 4
findtime = 20
banTime = 180

In words: The rule should ban users who access a host more than 4 times within 20 seconds. All hosts which access the host only 3 times within 20 seconds should not be banned.
But a user is although banned, if he accesses the host 4 time within 1minute and 27 seconds.
Obviously the parameter "findtime" does not work as it should do.

Is there an undocumented minimal number of seconds for "findtime"?

I've attached the full output from fail2ban log at the bottom where you can see that problem.
Here it is in short:
- 4 time in 20 seconds
- accesses at 16:46:23,849 16:46:44,853 16:47:49,864 and 16:47:50,405
- still banned
=======================================================
=======================================================
2008-07-16 16:45:56,003 fail2ban.comm : DEBUG Command: ['set', 'apache-trigger', 'addlogpath', '/var/log/httpd/access_log']
2008-07-16 16:45:56,033 fail2ban.comm : DEBUG Command: ['set', 'apache-trigger', 'maxretry', '4']
2008-07-16 16:45:56,037 fail2ban.comm : DEBUG Command: ['set', 'apache-trigger', 'addignoreip', '127.0.0.1']
2008-07-16 16:45:56,037 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2008-07-16 16:45:56,040 fail2ban.comm : DEBUG Command: ['set', 'apache-trigger', 'findtime', '20']
2008-07-16 16:45:56,043 fail2ban.comm : DEBUG Command: ['set', 'apache-trigger', 'bantime', '180']
...
...
...
iptables -I INPUT -p tcp --dport http -j fail2ban-TRIGGER returned successfully
2008-07-16 16:46:23,849 fail2ban.filter : DEBUG Found 134.106.XXX.XXX
2008-07-16 16:46:44,853 fail2ban.filter : DEBUG Found 134.106.XXX.XXX
2008-07-16 16:47:10,858 fail2ban.filter : DEBUG Found 134.106.XXX.XXX
2008-07-16 16:47:49,864 fail2ban.filter : DEBUG Found 134.106.XXX.XXX
2008-07-16 16:47:50,405 fail2ban.actions: WARNING [apache-trigger] Ban 134.106.XXX.XXX

=======================================================

Discussion

  • Cyril Jaquier

    Cyril Jaquier - 2008-07-16
    • status: open --> open-remind
     
  • Nobody/Anonymous

    Logged In: NO

    Hi,
    thank you for te answer and the link to the mailinglist.
    But the behaviour described in the thread doesn't work either!

    According to the example:
    10:00:00 -> match detected -> counter = 1
    10:00:10 -> match detected -> counter = 1
    10:00:12 -> match detected -> counter = 2

    the host in my example should NOT have been banned either, because between every match were more than 20 seconds:
    2008-07-16 16:46:23,849 DEBUG Found 134.106.XXX.XXX -> counter = 1
    2008-07-16 16:46:44,853 DEBUG Found 134.106.XXX.XXX -> counter = 1
    2008-07-16 16:47:10,858 DEBUG Found 134.106.XXX.XXX -> counter = 1
    2008-07-16 16:47:49,864 DEBUG Found 134.106.XXX.XXX -> counter = 1
    2008-07-16 16:47:50,405 WARNING [apache-trigger] Ban 134.106.XXX.XXX -> with counter = 1

    Another example with "findTime = 60" and "maxRetry = 6"

    2008-07-17 14:02:35,854 DEBUG Found 134.106.XXX.XXX -> counter = 1
    2008-07-17 14:02:39,963 DEBUG Found 134.106.XXX.XXX -> counter = 2
    2008-07-17 14:02:42,867 DEBUG Found 134.106.XXX.XXX -> counter = 3
    2008-07-17 14:02:04,514 DEBUG Found 134.106.XXX.XXX -> counter = 4
    2008-07-17 14:02:45,884 DEBUG Found 134.106.XXX.XXX -> counter = 5
    2008-07-17 14:05:28,964 DEBUG Found 134.106.XXX.XXX -> counter = 1 (SHOULD BE!!!)
    2008-07-17 14:05:30,350 WARNING [apache-trigger] Ban 134.106.XXX.XXX

    You're right: " "findtime" is not really what it should be" (but it is also NOT what it is expected to be at the moment!)

    Kind regards!

     
  • Nobody/Anonymous

    Logged In: NO

    I did some further test with the new release 0.8.3

    It seems to me, that fail2ban takes absolutely no account for any time "findtime" interval.

    I configured three different rules and specified no "findtime" so that the default value (600) is used. But according to my logfile the counter for a filter is only resetted, when a host is banned/unbanned
    The counter is definitely NOT set to zero if no match is found within "findtime". Can anyone confirm that please?

    How to check:
    Set no "findtime" in jail.conf and set "maxretry" for your filter e.g. to 10. Call the corresponding Filter 9 times (9 calls to website or 9 times a wrong login to ssh) and wait then MORE than 10 minutes. Try again 1 or 2 times. If you are banned my assumption is right, otherwise it sucks.

    Kind Regards.

     
  • Cyril Jaquier

    Cyril Jaquier - 2009-02-09
    • assigned_to: nobody --> lostcontrol
    • status: open-remind --> closed-fixed
     

Log in to post a comment.