Surely the fundamental problem would be to work out why valid users are being
blocked?
> On 20 Aug 2022, at 19:12, Graham B. <fail2...@chuckerytowers.plus.com> wrote:
>
> Hello Denis,
>
> This is a shot in the dark - I do not know what your users are connecting
> to, or how they are authenticated.
>
> However, in my experience, some dynamic I.P. addresses change rapidly
> (changing in hours), while many persist for longer times (day, weeks, months).
>
> If you can hook something like "sqlite" to your fail2ban configuration, you
> might maintain a database of tuples (I.P. address + account name + the time
> of the latest sighting) then consult that database for each connecting
> address, and updating user details in the database after authentication. Old
> entries might be purged daily. Note that some addresses might have more
> than one account name (e.g. two people sharing a home).
>
> This should help to remove the need for arithmetic mentioned by Roman, since
> many valid account names and known addresses should already be held, and a
> query for the I.P. address could suggest a known authentic account name. Most
> authentic users should usually gain access rapidly, with a low system load.
> First-time users, some authentic users, and bogus users wait a little, with a
> higher system load.
>
> There may be an enhancement if the database tuples also include verdict,
> being one of {unknown | good | bad}, enabling caching of bad sources, and
> faster decisions.
>
> Hoping this helps,
> Graham
> It was a tough school. Instead of a vaulting horse in the gym they had a
> vaulting unicorn.
>
>
>
>
> On Fri, 19 Aug 2022, Roman Pikalo via Fail2ban-users wrote:
>
>> Date: Fri, 19 Aug 2022 10:25:00
>> From: Roman Pikalo via Fail2ban-users <fail2ban-users@lists.sourceforgenet>
>> Reply-To: Roman Pikalo <roman.pik...@funderbeam.com>
>> To: Denis <d...@oxip.me>
>> Cc: fail2ban-users@lists.sourceforge.net
>> Subject: Re: [Fail2ban-users] Skip banning if user has good requests
>> Hi Denis,
>> > So I'm in searching some like IP reputation.
>> That idea crossed my mind so many times. But then you would have to process
>> all your "findings" with your reputation score logic
>> and then let the fail2ban to know what to do: ban or whitelist. With every
>> request you will be recalculating the score of all
>> the IP that just sent a request. Under high load that might an issue.
>> Also, once implementing that kind of reputation scoring system might not be
>> so challenging as making sure it works as expected.
>> I think it will not that that much time for the attacker to figure out how
>> to make their way to good users list.
>> Have you tried looking (or adding if you can) in your logs something more
>> definitive and more specific to your application (eg.
>> http headers: filter by http_status/app_version/session_id etc)?
>> As in if you send a request without app_version header, or status is 444, or
>> session_id is missing then ban on first
>> appearance.
>> Bregs,
>> Roman
>> On Thu, Aug 18, 2022 at 8:00 PM Denis <d...@oxip.me> wrote:
>> Hello.
>> Yes. Port knocking logic is too close I need.
>> Now I do virtual-whitelist jail with actionban = ACCEPT.
>> And failregex = good request.
>> So if user take good req it added to whitelist. And for next bantime will
>> not rejected.
>> But:
>> User in fact added in 2 ipsets (whitelist and ban jail).
>> My whitelist awfully big (cause there is every good user in it).
>> F2b log has a lot of "already banned" lines (cause user allowed with
>> whitelist but can send bad req).
>> So I'm in searching some like IP reputation.
>> IP req matched 2 times as fail, and 5 times as good. Summ is +3. Ok
>> IP req matched 10 times as fail and 0 as good. Summ -10. Ban.
>> чт, 18 авг. 2022 г., 19:23 Philip Clarke <n...@bouncing.org>:
>> Have you considered doing port knocking for your users? They point web
>> browser to a location, it registers the
>> request, that ip is given a pass for fail2ban or iptables. A simple
>> listening script would suffice, either
>> implementing an “Unban” if locked out or possibly some genius with
>> iptables could skip the whole thing and
>> code it in a one liner :)
>>
>> On 18 Aug 2022, at 10:33, Denis <d...@oxip.me> wrote:
>> Hello.
>> Unfortunately users has dynamic IPs and there are a lot of users. I can't
>> manually add every one.
>> On 16.08.2022 23:39, Roman Pikalo wrote:
>> One of options would be to use "ignoreip" in your jail configuration to
>> ignore certain IP-s or
>> even subnets. Of course that means that have that IP list.
>> -----
>> Roman
>> On Mon, Aug 15, 2022 at 11:04 AM Denis <d...@oxip.me> wrote:
>> Hello.
>>
>> I configured f2b for strict enough policy.
>>
>> Some normal users can banned with false positive.
>>
>> Is it possible to skip banning if user has good requests for findtime?
>> (not lines with ignoreregex but add IP's reputation)
>>
>> Or decrease IP's bad count if it get good req? (goodregex?)
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> [--- snipped ---]
>
> <a href="http://english-1329209197.spampoison.com
> <http://english-1329209197.spampoison.com/>">Get free spam bait here.</a>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> <mailto:Fail2ban-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
