Package: fail2ban Version: 0.8.3-2sid1 Severity: wishlist Currently fail2ban only takes failed logins into account. If from a host more than $maxretry logins have failed in a certain $findtime, the IP of that host will be blocked. Not considering, if there have been successful logins from the host, in the same time too.
This poses a problem if the host is a proxy, which connects in behave of a number of users. In the nature of a proxy, the proxy host will have a high number of logins, coming with a higher probability of false logins, due to misconfiguration or outdated account information. Currently it is not possible for fail2ban to distinguish between an attack and a proxy server, since the successful logins aren't considered at all. Therefore services, which are (possibly) accessed by proxy servers, cannot be guarded by fail2ban, without risking to block proxy servers. == Implementation Idea == 1. Have a filter regex $succregex for successful logins. 2. Have a jail variable $retryreduce which specifies the number of which the retry counter gets reduced on successful login. * If $retryreduce is undefined or 0, nothing will change. * If $retryreduce is positive, 1/$retryreduce successful logins on every failed login are needed to not ban that host. Values between 0 and 1 would be useful. 0.01 would mean you need 100 successful logins for one failed login, to not ban that host. == Further Ideas == Furthermore, there could be a different action to be fired, if a host get's banned after successful logins have occured. If a proxy host gets banned, because the failed logins are way to much compared to the successful ones, you probably want be notified (even only notified and not automatically ban the proxy host), while banning ordinary attack hosts, don't need your attention. Second, if there has been a successful login of a host, which got banned afterwards, you probably want to know that too, while banning of attack hosts, which weren't successful don't need your attention. -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores) Locale: LANG=C, lc_ctype=de...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

