What is the optimum ban duration of a brute force attack?
I use fail2ban to prevent brute force attacks on my production servers. Fail2ban bans an ip after 5 authentication failure and unbans it after 1 hour with my own configuration. I wonder that what is the optimum ban duration or do i really need to unban it again? Is banning an ip permanently the best solution?
There is no general rule for the optimum time of a ban, it depends on a lot of factors including
- The type of server/service
- The target audience
- The type of attack
- and the the specific attack/attacker.
This is of course also true to decide if you need to unban at all - if very few IP addresses might legitimately connect to your services, banning attackers (semi) permanently might not be a bad idea, but in other cases, this will create more problems than doing good.
Edit regarding your comment:
The most important protection for root accounts is to
- don't allow root access to begin with
- Use only key-based login for the other uses and disallow passwords.
This also helps to protect you against the distributed type of brute-force attack you can see today where you are slowly attacked by a great number of bot net machines with each machine trying only a very small number of passwords, thus not triggering stuff like fail2ban at all.
2nd edit, regarding 2nd comment:
We are clearly in the "it depends" territory here. An example from my environments:
- Machine 1 has users logging in from external networks. I can't disable password logins (because of reasons :( ). Ban time is set to 10 minutes.
- Machine 2 has only admins logging in from very few, slowly changing IPs. Ban time is set to 24h.
The thing is that the 24h ban works only marginally better, if at all (*), but machine 2 is much better protected nevertheless due to the restriction to non-root key based logins.
(*) This is my impression and is not founded in any real statistical analysis of log files.