I know how to user fail2ban and how to configure a jail, but I'm not compfortable about how it actually works.
The thing is, there's a particular jail option that pick my curiosity: findtime.
When I configure a filter, it is necessary to use the HOST keyword (match IP address), so that fail2ban can know the IP to compare and ban if necessary. Alright.
But there's no such thing for time: fail2ban can't know the exact time a line was added to a log file, beacause there's no TIME keyword, right? Actually, it can scan files without any time on any line and it will still work.
I guess it means fail2ban is scanning files periodically: it set a scan time internally so it can handle options like findtime by comparing its own scan dates.
First, am I right? If so, what is the scan frenquency? Can't it be a bottleneck if there are lots of big log files to scan often?
Then, what happened if the scan frequency is superior to the findtime options? Does it means fail2ban adapts to the minimal findtime option it found to set its minimal scan frequency?
Aucun commentaire:
Enregistrer un commentaire