Customizable values of maxrentry for each jail

fail2ban
v7

(Aaron) #1

I would like to adjust the maxrentry values of each jail in fail2ban separately…
wouldn’t it be pretty cool if one could do that via the webgui?! :wink:
or do you think it would be overloading?


Recidive Jail not Banning IP's in Fail2Ban
(Stéphane de Labrusse) #2

honestly yes, I don’t see the gain. Of course i’m open minded for any new features (jail, filter, UI…)


(Aaron) #3

For example, I would like to make the roundcubemail-auth jail a bit less strict by increasing its maxrentry value… the reason is that there are people in my organization who have problems to remember strong password even if they set them by themselves… and hence they get banned by the jail regularly.

to set the general value of maxrentry lower, is not really an option for me (the decrease of security is too high…).

of course, I can adjust the maxrentry value of each jail by editing the jail.local file (resp. its template). This is what I have done by now.

however, I could imagine that more people have similar problems (perhaps someone would like to secure apache-auth even more but would like to leave the value of the other jails… or something like that)…


(Stéphane de Labrusse) #4
{
return "\n#nextcloud not installed on this server" unless (-f '/var/lib/nethserver/nextcloud/nextcloud.log');

my $Nextcloud_status = $fail2ban{Nextcloud_status} || 'true';
my $TCPPorts = $httpd{TCPPorts} || '80,443';
my $maxretry = $fail2ban{MaxRetry} || '3';

$OUT .= qq(
[nextcloud-auth]
enabled  = $Nextcloud_status
port     = $TCPPorts
logpath  = /var/lib/nethserver/nextcloud/nextcloud.log
maxretry = $maxretry
)
}

this is one jail, we could imagine something like that

my $maxretry = $fail2ban{NextcloudMaxRetry} || $fail2ban{MaxRetry};

and set it manually by a

config setprop fail2ban NextcloudMaxRetry 21000
signal-event nethserver-fail2ban-save

(Aaron) #5

yes exactly!
I m not so familiar with the key values in the template system yet… but great that it seems to be not very hard for you…!


(Stéphane de Labrusse) #6

in another hand, you could create an account at github, fork the nethserver-fail2ban project, do the modifications and start a pull request to push your changes…Something new to learn, that is great.


(Aaron) #7

Yes, I know… (and btw I have already a github account)
but the upcoming weeks I have presumably very very little time… :frowning: but let’s see! :wink:


(Stéphane de Labrusse) #8

update your version for ns6 and ns7

you can set a custom value for a jail

[root@ns7dev8 ~]# config show fail2ban |grep -i maxretry
    Apache_MaxRetry=
    Dovecot_MaxRetry=
    Ejabber_MaxRetry=
    HttpdAdmin_MaxRetry=
    MaxRetry=3
    Mysqld_MaxRetry=
    Nextcloud_MaxRetry=
    Nginx_MaxRetry=
    OpenVpnAuth_MaxRetry=
    OpenVpn_MaxRetry=
    Owncloud_MaxRetry=
    PamGeneric_MaxRetry=
    Postfix_MaxRetry=
    Recidive_MaxRetry=
    Roundcube_MaxRetry=
    Sieve_MaxRetry=
    Sogo_MaxRetry=
    Sshd_MaxRetry=
    Urbackup_MaxRetry=
    Vsftpd_MaxRetry=

only available by a db command

config setprop fail2ban Urbackup_MaxRetry 18
signal-event nethserver-fail2ban-save

if you delete the property you go back to the default MaxRetry value

config setprop fail2ban Urbackup_MaxRetry ''
signal-event nethserver-fail2ban-save

@Draago_Bellasys come here to read


(Aaron) #9

great! it works! :wink:
thanks!