On 03/13/2006, johannes weiß wrote: > this is the std config. But it's widely configurable (e.g.: > --- SNIP (fail2ban.conf, std config) --- > fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP > fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP > maxfailures = 5 > bantime = 600 > findtime = 600 > --- SNAP --- > > >> to iptables whenever 1.2.3.4/32 has too many login failures? >> > > > it executes "fwban" if an IP has more than "maxfailures" failures in > "findtime". This ban will be removed after "bantime" seconds. > Also configurable: > - Mail sending > - Apache (htaccess) checks > - I'm pretty sure that also other auth-log-files could be parsed(by regexp) > if you want to. > > >> Does it expire entries? >> > > > (yes after "bantime" seconds)
Here's a recent entry from /var/log/fail2ban.log: 2006-03-13 12:57:55,516 INFO: SSH: 161.45.164.113 has 6 login failure(s). Banned. 2006-03-13 12:57:55,532 WARNING: SSH: Ban 161.45.164.113 2006-03-13 13:07:55,742 WARNING: SSH: Unban 161.45.164.113 Search for fail2ban or ssh brute force attacks on debian-user for more discussions on the subject. Regards, Ralph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
