FreePBX - fail2ban - find and ban time

pmdev · March 23, 2018, 4:15pm

Just wondering if anyone can tell me how I can reduce the time fail2ban takes to block a SIP attack please.

I’ve had a run of these recently from different IP addresses and I can see that it takes 2 mins almost exactly to ban an IP address, which in most cases is just over 800 attempts.

I have the following settings in Intrusion Detection:
Ban Time: -1 (Got this from a forum that said -1 = for ever)
Max Retry: 5
Find Time: 600

Fail2ban does catch the attack, but as I said, it takes 2 mins to do so. Any ideas why or how to make this actually 5 attempts would be appreciated.

Regards, Nigel.

cynjut · March 23, 2018, 5:16pm

Fail2ban is scanning logs, so it’s going to take a fair amount of time no matter what we do. It seems to me there’s a “this many times in this many minutes” component as well, so the tuning of the thing might make a difference.

dicko · March 23, 2018, 5:34pm

There are a few “backends” used to scan the log files, the backend chosen can be auto

backend = auto

or explicit, polling is the slowest, gamin is usually the default, installing pyinotify and you will likely get the most responsive results.

pmdev · March 26, 2018, 3:40pm

My iPBX went through it’s set repo’s but couldn’t find that package in any it uses, can you point me to one that has it? This is for pyinotify…

Thanks

dicko · March 26, 2018, 4:19pm

https://rpmfind.net/linux/rpm2html/search.php?query=python-inotify

Autourdupc · May 4, 2018, 4:24pm

On my Freepbx running on Raspberry PI, I have
bantime = 86400
findtime = 86400
maxretry = 3

And it do the job… It take less than 2 mins to ban an IP.
I also have a static IP list of banned IP that I load each time I do a fail2ban restart so Fail2ban only gets the new IP intrusions.

Laurent.

system · May 4, 2019, 4:24pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.