> > I've noticed that I have a number of slow distributed attacks happening on > my server which evade fail2ban by using a pool of IP addresses. > > I've been looking at the sqlite db and it looks like the data field in the > bips table can have all the data I need to have a supplemental script which > runs periodically and looks for a "threshold number" of failed logins over > a time period against the same account and bans all IPs that tried. I've > already instrumented my filters with the <f-user> tags so that the account > name is available in the JSON data. > > Has anyone tried this? I only started looking at fail2ban a few days ago. > Are there any holes in the approach I'm suggesting? >
F2B has an open request for IP ranges/CIDR: https://github.com/fail2ban/fail2ban/issues/927
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
