Ahoj,
Dňa Fri, 15 Jul 2022 17:12:48 +0300 Evgeniy Berdnikov via Exim-users
<exim-users@???> napísal:
> Note that fail2ban is not a realtime service, it scans logs in timely
> manner (typically by cron, every 10-15 min). So probability for
> active connection to be blocked by fail2ban is very low.
I do not know how do you are using fail2ban, but my usage is without
cron. It uses inotify on regular files and/or systemd journal on the
fly, which both are near real time.
The last fail2ban version log processing time along with logline
time, i do not see more than some hundreds ms difference, eg.:
2022-07-15 15:19:07,431 fail2ban.filter [247]: INFO [exim]
Found 49.85.88.74 - 2022-07-15 15:19:07 2022-07-15 15:19:14,820
It shows no more than 400 ms offset, thus yes it is not real time,
but near...
To OP: I will do not suggest to use as aggressive bans at all, as a lot
of hosts try only once and then go away, thus banning them is only
resource wasting...
You can use AUTH attempts counting in AUTH ACL and the do something with
this value, eg. (i do not drop by this way, thus only idea):
warn set acl_c_authcnt = ${eval10:$acl_c_authcnt+1}
drop condition = ${if >{$acl_c_authcnt}{1}}
condition = $authentication_failed
logwrite = H=$sender_fullhost LAST FAILed: \
$authenticated_fail_id
(BTW, last log with "LAST FAILed" was 25 days ago)
I recently discovered (OK, i ugpraded it) fail2bans bantime auto
incerement, whis i see as very useful for banning these toxics and to
deal with false positives relative acceptable with short initial
bantime:
fail2ban-client get exim banip --with-time
93.189.43.77 2022-07-15 07:24:12 + 86400 = 2022-07-16 07:24:12
104.144.69.131 2022-07-14 10:43:53 + 432000 = 2022-07-19 10:43:53
188.138.75.115 2022-07-14 22:05:07 + 604800 = 2022-07-21 22:05:07
...
...here you can see bantime from 1 to 7 days.
regards
--
Slavko
https://www.slavino.sk
