Get Fail2Ban To Check findtime Every X Minutes

Question

I have fail2ban set up with the following settings:

bantime  = 86400
findtime  = 600
maxretry = 2

This is great as it stops any IPs who are brute forcing 3 times within 10 minutes. However, there are IPs that are attempting every 30 mins or so. To catch those IPs, I changed the settings to:

bantime  = 86400
findtime  = 3600
maxretry = 2

Now, it checks every hour and catches some of those IPs that were trying every 20-30 minutes. However, now my VPS is not catching IPs who might be brute forcing at a high level for one hour.

Thus, is there any way to set the findtime = 3600 and also have fail2ban check every 10 minutes?

Answer 1

As mentioned by Michael Hampton in a couple of comments, the reaction time, how often fail2ban checks the logs, has nothing to do with the findtime parameter. fail2ban is expected to read new log data every second or so (it will depend on your computer load, but it should be really fast since in most cases new log data will still be in memory, in a kernel buffer.)

The findtime=... defines how far back logs are checked. The filter is checked against input that has a date between now - findtime and now. If the filter found maxretry or more lines of log that matched (not counting those that also match the ignoreregex) within that period of time (now - findtime to now), then it emits the ban action.

  ancient past  |     past       |       ban         |   future
----------------+--*--*-*--*---*-+-------------------+------------->
                |                |                   |
                |                |                   +--> now + bantime
                |                +--> now
                +--> now - findtime

There is a graph showing the timeline. Logs part of ancient past are ignored. Logs between now - findtime and now, section named past, are checked for matches. If the number of matches (represented by asterisks) is >= maxretry then a ban is started at now. The ban lasts until now + bantime. Note that hits with the same IP once the IP was banned should not happen for the port for which it was banned. It could still happen for other ports, though.

So by increasing the findtime=... you do not affect the reaction time, however, you increase the chance for an IP to get banned by the corresponding filter.

Answer 2

You can add a jail in jail.conf to check who is brute forcing every 30 minutes. Example of working configuration is:

[ssh] # first jail: check every 10 minutes 

enabled  = true
port     = ssh
filter   = sshd
action   = %(action_)s
logpath  = /var/log/auth.log
maxretry = 3
bantime  = 600

[fail2ban-ssh] # second jail: check every hour

enabled = true
filter = fail2ban-ssh
logpath = /var/log/fail2ban.log
action = iptables-multiport
maxretry = 3
findtime = 3600    
bantime = 86400     # ban for a day

Create a file fail2ban-ssh.conf and put it in filter.d to match what you wish, for example:

[Definition]

failregex = fail2ban.actions: WARNING \[ssh\] Unban <HOST>