Merge filters in fail2ban

Smedby · August 19, 2023, 1:07pm

SYSTEM INFORMATION
OS type and version	Debian 11
Webmin version	2.101
Virtualmin version	7.7

Is it possible to merge different filters to have hackers banned quicker?

Example in fail2ban.log

INFO [filter1] Found 157.230.xxx.yyy - 2023-08-18 10:16:26
INFO [filter2] Found 157.230.xxx.yyy - 2023-08-18 10:16:26
INFO [filter3] Found 157.230.xxx.yyy - 2023-08-18 10:16:27
INFO [filter4] Found 157.230.xxx.yyy - 2023-08-18 10:16:27

This would result in an instant ban if you could count all 4.
Or else no ban.

Randomz · August 19, 2023, 2:32pm

Good question, I am looking for ways to make f2b more efficient also.

You can have multiple conditions in a failregex statement, but that would trigger on any and perhaps you want trigger on each then combine the total.

You could modify a copy of the recidive filter to trigger on multiple “found” log entries rather than multiple “ban” entries. Or trigger on either “found” or “ban” with the same HOST.

Someone may have a better solution.

ADDISON74 · August 19, 2023, 8:02pm

In this case the best place for asking is F2B repository. In fact, the rules should not be merged, but rather that when a condition is met, the other jails should not be evaluated. Time also comes into the equation here, practically what else can the attacker do until he is permanently blocked. For this reason, the catch must be immediate.

Smedby · August 21, 2023, 9:11am

@Randomz
Could you please give an example of a modified recidive filter
that checks fail2ban.log for filter* and same IP-adresses?

Randomz · August 21, 2023, 2:03pm

Sorry, I am not a coder, but I see the possibilities.

system · October 20, 2023, 2:03pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.