I am hoping to get a bit of clarification on how Fail2ban, Intrusion Detection and the responsive firewall are related.
My understanding is that the settings under “Intrusion Detection” are simply a way of setting basic Fail2ban parameters and that the Responsive Firewall functionality is a completely separate feature.
Right now I have the intrusion settings fairly tight with max number of failed logins set to 3. However I regularly get alerts from Fail2ban about banned IP’s which show anywhere from 3 to 11 failed login attempts. At first glance this appears to indicate that the “Intrusion Detection” settings are not being completely respected.
My thought is that some of the “Fail2Ban” alerts are actually being generated by the Responsive Firewall which is perhaps not as rigid in it response to failed login attempts. But again I am not completely clear on how these services are interrelated. Any thoughts or clarification about how these services relate to each other and how to explain the variation in failed logins before banning would be appreciated.