Hi, what about a script that removes the failed IP from F2B's database when a successful login is detected? As Sergey Brester (contributor) wrote on github:
<quote> Question: Also, is there a way of unmark an ip as being "bad"? Answer: Manually unbanning does this (by removing from sqlite-database). # everywhere (in all jails and database, >= v.0.10): ?sudo? fail2ban-client unban <IP> ... <IP> # per jail (>= v.0.9) ?sudo? fail2ban-client set <JAIL> unbanip <IP> </quote> I think it would work when the script is triggered by an cronjob, reading the logfile, and then sends the IPs that successful logged in to the fail2ban-client. Greetz Florian Am 09.09.2020 um 14:49 schrieb [email protected]: > Hi All > > I am trying to setup Fail2Ban type functionality for a mail server. > The object is to block 1000's of BOTS that try dictionary attacks or > have lists of previously compromised accounts (which now have new > passwords). > > But I do not want to accidentally block bona fida IP addresses, like a > company's office router, which supports many valid users, even if one > or two users have bad passwords. > > For example if someone enters their password incorrectly and their > mail program retries a number of times, their IP will get blocked. If > they are connecting from an office environment then all of their > colleagues who share the same public IP address will also get blocked. > This is not acceptable. > > So the functionality we are looking for is: > > - when we log a valid login, we "whitelist" that IP for a period. > > - when we log a number of invalid logins in a given period, we jail it > for a jail period, as per the normal fail2ban rules. Provided that IP > is not already whitelisted. > > One way to implement the above is to count the valid logins, per IP, > and subtract the invalid logins, per IP. We can stop counting when we > reach a maximum (say 10), but if it goes down to say, negative 3, we > jail the IP. On un-jailing we reset the counter. This way an IP that > supports a group of bona-fida users should never get jailed, but the > bots will get detected and blocked. > > I have looked through the documentation I can't see an obvious way of > doing this with fail2ban. Has anybody implemented anything like this > before? > > Thanks > > > Ian > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
