When an IP address or hostname is categorized as an attacker, they are blocked for 24hrs. Is there a way to increase this time of 24hrs to something greater? If so is there a limit?
All fai2ban jails have a ‘bantime’, current versions have no limit but versions < 0.9 will reset all bans on reload or reboot
I may have misdirected my question. I was referring to “Blocked Attackers” (see screenshot below).
When an IP address arrives at “Blocked Attackers” they are only removed if they stop traffic for 24 consecutive hrs. How can I increase this to something greater such as 48 hours?
In the relevant fail2ban jail, increase the ‘bantime’
Admin>System Admin>Intrusion Detection
All the comments above are discussing fail2ban. I am not inquiring about fail2ban, I am inquiring about “Blocked Attackers” which is a function that gets triggered after excessive fail2ban attempts. The default is a 24hr setting. I wish to change “Blocked Attackers” to a 48hr setting.
The ‘function’ that gets triggered is the creation of an iptables rule in a fail2ban chain, and the summation of those rules in the relevant fail2ban jails are the "Blocked Attackers’. BanTime is the setting that fail2ban uses to cause removal of said rule.
You can satisfy yourself that that is how it works by examining iptables -L -n and /var/log/fail2ban.log
fail2ban-client -h , fail2ban-client asterisk get bantime (and set) and fail2ban client status asterisk
FreePBX does not maintain any fail2ban ‘state’ outside fail2ban’s own ‘state’
Ahh… I see. Thank you for the clarification.
Ill dive in and try to figure out where in fail 2 ban the time for this particular jail is set. I thought all jails used one universal ban time. But perhaps jails can also have their own unique ban time. Ill poke around and see what i can find.
Make sure the fai2ban version is >= 0.9 or a restart reboot will reset all bans
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.