From 3fc7495bc9a7bec918e2e2da29a9dcffe700ed39 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 24 Oct 2023 18:52:09 +0200 Subject: [PATCH] Updated How fail2ban works (markdown) --- How-fail2ban-works.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/How-fail2ban-works.md b/How-fail2ban-works.md index 86613cb..14614c9 100644 --- a/How-fail2ban-works.md +++ b/How-fail2ban-works.md @@ -21,7 +21,7 @@ Each failure (attempt) will be logged in `fail2ban.log` as:
` INFO [jail] Found 192.0.2.25`
First if you'll see at least 5 such lines with this IP address within 10 minutes, the IP goes banned and you should see:
` NOTICE [jail] Ban 192.0.2.25`
-(the solution could be to increase `findtime` or decrease `maxretry`); +If there are some `Found` but no `Ban` messages for an IP, the solution could be to increase `findtime` or decrease `maxretry`. Just note that the larger `findtime` and smaller `maxretry` the higher may be the probability of false positives (mistaken bans of legitimate users); - no matching date-time pattern or wrong date-time pattern specified for the jail resp. filter via `datepattern`, thus it does not match the log-line at all; - be careful with `%` character in fail2ban configurations (because of the python-config, it should be dual-escaped `%%`); - note the time of values that fail2ban recognizes from the log-file will be converted using the system time zone (if not specified different) - be sure that the times, written from the corresponding service into the log, are not too old for the fail2ban;