Package: fail2ban
Version: 0.8.3-2sid1
Severity: wishlist

Currently fail2ban only takes failed logins into account. If from a host
more than $maxretry logins have failed in a certain $findtime, the IP of
that host will be blocked. Not considering, if there have been
successful logins from the host, in the same time too.

This poses a problem if the host is a proxy, which connects in behave of
a number of users. In the nature of a proxy, the proxy host will have a
high number of logins, coming with a higher probability of false logins,
due to misconfiguration or outdated account information.

Currently it is not possible for fail2ban to distinguish between an
attack and a proxy server, since the successful logins aren't considered
at all.

Therefore services, which are (possibly) accessed by proxy servers, cannot
be guarded by fail2ban, without risking to block proxy servers.

== Implementation Idea ==

1. Have a filter regex $succregex for successful logins.
2. Have a jail variable $retryreduce which specifies the number of
which the retry counter gets reduced on successful login.

* If $retryreduce is undefined or 0, nothing will change.
* If $retryreduce is positive, 1/$retryreduce successful logins on 
  every failed login are needed to not ban that host.

Values between 0 and 1 would be useful. 0.01 would mean you
need 100 successful logins for one failed login, to not ban that host.

== Further Ideas ==

Furthermore, there could be a different action to be fired, if a host get's 
banned
after successful logins have occured.

If a proxy host gets banned, because the failed logins are way to much
compared to the successful ones, you probably want be notified (even
only notified and not automatically ban the proxy host), while banning
ordinary attack hosts, don't need your attention.

Second, if there has been a successful login of a host, which got
banned afterwards, you probably want to know that too, while banning of
attack hosts, which weren't successful don't need your attention.

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, lc_ctype=de...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to