fail2ban behavior (IP banned seemingly after 54 attempts)

[jehowe]

What do you make of this. I have fail2ban setup through Ward's install script, running with maxretries=3, and successfully tested on my end. Today I received an email from fail2ban.....

Hi,

The IP 217.195.180.180 has just been banned by Fail2Ban after
54 attempts against ASTERISK.


Here are more information about 217.195.180.180:

[Querying whois.ripe.net].....

The puzzling part is that it would seem to have allowed that many (54) attempts before banning this IP. Now, would this indicate a very rapid attack before fail2ban could catch it? Possibly simultaneous attempts on a range of extensions? Fail2ban behaving in a way it shouldn't? Or something else entirely.

Thankfully I haven't had any other attacks to compare with, aside from my local tests.

 

[jroper]

Fail2Ban is a log parser, if they are quick, or rather the automated process they are using is quick, then you can get a lot of attempts in before blocking.

To decrease the time between log parsing may impact on performance.

In the grand scheme of things, 54 attempts is not very many goes, and with a good password should not give cause for concern.

As a comparison, SIPp, the SIP load testing tool can easily do 5000 calls per second.

Joe

 

[jehowe]

Thanks Joe, it makes sense now.