I might suggest a tighter repeat offender sanction. e.g.
[recidive]
enabled = true
logpath = /var/log/fail2ban.log*
banaction = shorewall
bantime = 604800
#findtime shorter, more efficient
findtime = 86400
#repeat offender tolerance?
maxretry = 1
Remember, this is checking repeat offender via the fail2ban logfile itself, so there should be pretty much zero tolerance for repeatedly blown passwords (such as 12 missed passwords in a 24 hour period if your original policy allows 6 retries…).
At most set maxretry = 2, to allow for up to 18 mistaken passwords in 24 hours.
My infrastructure is under constant attack from bot servers which are automating a type of serialized brute force attack, typically their scripts auto-increment a password guess for root, but also attempt to crack other common usernames.
The offending servers are using additional probing techniques, port-scanning, etc. and if WordPress is on the site, standard port attacks attempting to crack admin privileges, or database privs using vulnerability exploits… at times 5 hits per minute 24/7 just trying to crack unix users, sometimes multiplied by efforts from from clearly 4 or 5 different IP addresses.
Some are apparently “better mousing” the system by limiting their attack to 3 password attempts instead of 5. This is presumably to defeat detection.
Without fail2ban, this boils down to not an insignificant waste of resources as just one bad server IP consumes 18,000 qualified responses in our auth log each day (5 hits per minute) , this also generates a lot of logfile data, up to 25Mb/month.
When multiplied by 4 or 5 server scripts this ends up being up about 150,000 hits per day and 180-250Mb/month in logfile data just from this one attack vector. We set fail2ban very tightly as suggested and it also has the effect of making it very unfortunate for sloppy employee logins.
The bottom line is that for our use-case, we achieved greater efficiency in the fail2ban system and our overall system resources saw improved availability after maintaining a clean separation of concerns using Recidive as suggested. #WorksForUs