Just wondering if anyone can tell me how I can reduce the time fail2ban takes to block a SIP attack please.
I’ve had a run of these recently from different IP addresses and I can see that it takes 2 mins almost exactly to ban an IP address, which in most cases is just over 800 attempts.
I have the following settings in Intrusion Detection:
Ban Time: -1 (Got this from a forum that said -1 = for ever)
Max Retry: 5
Find Time: 600
Fail2ban does catch the attack, but as I said, it takes 2 mins to do so. Any ideas why or how to make this actually 5 attempts would be appreciated.
Fail2ban is scanning logs, so it’s going to take a fair amount of time no matter what we do. It seems to me there’s a “this many times in this many minutes” component as well, so the tuning of the thing might make a difference.
On my Freepbx running on Raspberry PI, I have
bantime = 86400
findtime = 86400
maxretry = 3
And it do the job… It take less than 2 mins to ban an IP.
I also have a static IP list of banned IP that I load each time I do a fail2ban restart so Fail2ban only gets the new IP intrusions.