search for: findtime

Displaying 18 results from an estimated 18 matches for "findtime".

Did you mean: endtime
2017 Mar 01
3
fail2ban Asterisk 13.13.1
...Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago Docs: man:fail2ban(1) jail.local [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = -1 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 300 # "maxretry" is the number of failures before a host get banned. maxretry = 3 [asterisk-iptables] enable = true port = 5060,5061 filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail[name=A...
2017 Jul 27
1
under another kind of attack
...t; Somestimes I think it should ;-) > > My "mistake" was that I had just *one* fail2ban filter for both cases: > "wrong password" and "unknown user". > > Now I have two distinct jails: > The first one just for "wrong password" and here the findtime, bantime, retries > are tolerant to typos. > > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking...
2017 Mar 02
3
fail2ban Asterisk 13.13.1
...ehalf Of Tech Support Sent: Wednesday, March 1, 2017 2:37 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users at lists.digium.com> Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1 It's possible that you need to increase the value of 'findtime' to something greater than 300 secs. You also may want to set "timestamp = yes" in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the 'findtime' is the culprit. Regards; John V. From:...
2013 Oct 04
4
fail2ban
For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: maxretry = 6 findtime = 600 bantime = 3600 and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authe...
2020 Apr 09
2
fail2ban firewalld problems with current CentOS 7
...09 09:26:13,838 fail2ban.filter [8545]: INFO maxRetry: 1 2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,839 fail2ban.actions [8545]: INFO banTime: 172800 2020-04-09 09:26:13,839 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos...
2017 Jul 26
1
under another kind of attack
Olaf Hopp <Olaf.Hopp at kit.edu> wrote: > And I have a new one just for "unknown user" and here my bantime and findtime > are much bigger and the retries are just '2'. So here I'm much harsher. > I'll keep an eye on my logs and maybe some more twaeking is necessary. Just be careful about typos (like twaeking!): users could simply misspell their username, or get mixed up with some another accou...
2010 Aug 09
1
fail2ban behavior
I created a filter and verified it with fail2ban-regex against actual lines in my log and it works. During restarts of fail2ban, only some previous ip's get banned immediately whereas some need a reoccurrence despite the jail's config specification of maxretry and findtime suggesting the entries mandate blocking. I'd assume the behavior after a restart is noe way if it weren't for the seemingly random immediate notification of blocks being different? Anyone with experience using fail2ban know anything about this? Thanks, jlc
2017 Jul 29
1
under another kind of attack
...ilters overlap or interfere with those suggested by you? this is my filter: Contents of /etc/fail2ban/jail.conf: [postfix] # Ban for 10 minutes if it fails 6 times within 10 minutes enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 6 bantime = 600 findtime = 600 Contents of /etc/fail2ban/filter.d/postfix.conf: # Fail2Ban configuration file # Author: Cyril Jaquier # $Revision$ [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host&q...
2019 Apr 29
2
faI2ban detecting and banning but nothing happens
....227.253.100 45.227.253.100 [root at ollie2 ~]# fail2ban-client set exim banip 46.232.112.21 46.232.112.21 [root at ollie2 ~]# and the lines are still appearing. Here is my jail.local. (I did also try directly editing jail.conf to update the port commands). [DEFAULT] # set a higher bantime and findtime bantime=3600000 findtime=1200 # set the IP's to ignore / not ban ignoreip = 127.0.0.1/8 10.0.0.0/8 # set max number of attempts maxretry = 3 # set mail receiver destemail = fail2ban at ringways.co.uk sender = fail2ban at ringways.co.uk # enable sending mails, whois and logfile sections by choos...
2017 Jul 26
0
under another kind of attack
...locking is not an option for us. Somestimes I think it should ;-) My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user". Now I have two distinct jails: The first one just for "wrong password" and here the findtime, bantime, retries are tolerant to typos. And I have a new one just for "unknown user" and here my bantime and findtime are much bigger and the retries are just '2'. So here I'm much harsher. I'll keep an eye on my logs and maybe some more twaeking is necessary. Another i...
2017 Jul 25
10
under another kind of attack
Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25
2019 Apr 26
5
faI2ban detecting and banning but nothing happens
On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > I've followed one of the pages on line specifically for installing fail2ban on > > Centos 7 and all looks fine. > > Which page? It would help to see what they advised. > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn
2018 May 17
2
Decoding SIP register hack
I need some help understanding SIP dialog. Some actor is trying to access my server, but I can't figure out what he's trying to do ,or how. I'm getting a lot of these warnings. [May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt: Retransmission timeout reached on transmission _zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101 With SIP DEBUG I tracked the Call-ID to this INVITE :
2017 Dec 17
1
ot: fail2ban dovecot setup
...ently banned: 0 |- Total banned: 0 `- Banned IP list: (1) # cat jail.local [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 5 findtime = 300 bantime = 3600 ignoreip = 127.0.0.1 127.0.0.0/8 [postfx-sasl] enabled = true filter = postfix-sasl action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you...
2016 Mar 10
0
[ISC Crosspost] Novel method for slowing down Locky on Samba server using fail2ban
...amba.conf in /etc/fail2ban/jail.d/ [samba] filter = samba enabled = true action = iptables-multiport[name=samba, port="135,139,445,137,138", protocol=tcp] mail[name=samba, dest=admin at MYDOMAIN.DE] logpath = /var/log/syslog maxretry = 1 #block after first attempt findtime = 600 #always look at the last 10 minutes bantime = 86400 #24 hour ban [samba] filter = samba enabled = true action = iptables-multiport [name = samba, port = "135,139,445,137,138" protocol = tcp] mail [name = samba, dest=admin at MYDOMAIN.DE] logpath = / var / log / sysl...
2018 May 17
3
Decoding SIP register hack
....,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) > exten => _+X.,3,HangUp() > > > > in /etc/fail2ban/jail.conf: > > [asterisk] > filter???= asterisk > action = iptables-allports[name=ASTERISK] > logpath??= /var/log/asterisk/messages > maxretry = 1 > findtime = 86400 > bantime??= 518400 > enabled = true > > > in /etc/fail2ban/filter.d > > # Fail2Ban configuration file > # > # > # $Revision: 250 $ > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them > from > #...
2016 Aug 20
4
What is broken with fail2ban
Hello List, with CentOS 7.2 it is not longer possible to run fail2ban on a Server ? I install a new CentOS 7.2 and the EPEL directory yum install fail2ban I don't change anything only I create a jail.local to enable the Filters [sshd] enabled = true .... ..... When I start afterward fail2ban systemctl status fail2ban is clean But systemctl status firewalld is broken ? firewalld.service -
2017 Dec 16
7
ot: fail2ban dovecot setup
I'm trying to setup and test fail2ban with dovecot I've installed fail2ban, I've copied config from https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it, attempted multiple mail access with wrong password, but, get this: # fail2ban-client status dovecot-pop3imap Status for the jail: dovecot-pop3imap |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File