From: Stefan C. <ste...@go...> - 2012-02-27 12:23:04
|
Hi all, Dropping the maxretry to 2 per 60 seconds works. Now people that try to connect at least twice per 60 seconds and fails will be added to the iptables drop chain. If someone wants to add the failregex to a openvpn filter in the future this is what worked for me on debian 6 stable. failregex = <HOST>:[0-9]{1,5}.*Connection reset, restarting \[-*[0-9]{1,2}\]$ Thank you for your help ! On 23/02/12 11:02, Stefan Cocora wrote: > Hi Fabian, > > That is a very good point you're making. I don't know how I've > managed to overlook the tries per amount of time. > I've just changed it to 2 per 60 s. > I'll let you know how it goes. > > Regards, > Stefan > > On 21/02/12 13:23, Fabian Wenk wrote: >> Hello Stefan >> >> On 21.02.2012 10:45, Stefan Cocora wrote: >>> Now I've also set it up to block openvpn connection attempts. >>> Unfortunately my openvpn jail doesn't seem to work even if the failregex >>> seems to work when I run it form cli with >> >>> Can anyone see why fail2ban fails ( i know its funny ) to ban those >>> openvpn connection attempts, even though fail2ban-regex catches the ips >>> on the command line ? >> >> As far as I see it, your 'findtime = 60' in combination with >> 'maxretry = 5' is set too short. With this, there are 5 >> connections from the same IP address within 60 seconds needed to >> block the IP address, else it will not get blocked. According to >> your openvpn.log snippet almost all connections are from a >> different IP address, except the two entries at >> '2012-02-19T22:59:02' and '2012-02-19T22:59:10'. >> >> I think the fail2ban-regex tool does only check for the regex >> itself, but not the other parameters like findtime and maxretry >> in the config file. The fail2ban-regex tool can also be used like >> this: >> >> fail2ban-regex "<single-line-from-log-file>" "<regex-line>" >> >> >> bye >> Fabian >> >> ------------------------------------------------------------------------------ >> Keep Your Developer Skills Current with LearnDevNow! >> The most comprehensive online learning library for Microsoft developers >> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, >> Metro Style Apps, more. Free future releases when you subscribe now! >> http://p.sf.net/sfu/learndevnow-d2d >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users |