From: Amir C. <ce...@3p...> - 2013-07-23 04:24:46
|
On Jul 22, 2013, at 9:19 PM, Daniel Black <dan...@in...> wrote: > also see the recidive.conf filter. I think this method is easier than the one to which Yehuda linked, especially since it is basically built in... and the nice thing is that it bans repeat offenders across ALL jails... that is, if an IP is banned on ssh once, proftp once, and apache once, that counts as three repeat bans for recidive, but the method to which Yehuda linked won't catch it as a repeater. You could create a "recidive2" filter, which looks for recidive bans in the fail2ban log... so, for example, recidive would ban repeaters for (say) a week, and recidive2 would ban repeat-repeaters for a year (or whatever). You could make as many levels of recidive filters as you wanted, though each would require a separate jail. Note that ban periods of longer than a month may not be useful depending on the stability of your server... unless it has changed recently, the ban list is lost upon reboot. Hope this helps. --- Amir |