Safety. fail2ban settings

Please help me configure it correctly fail2ban.
My desire is to set up this and check it correctly.

For the current settings, today every 11 minutes there is a brute-force search of passwords from the address 195.133.40.139
Why does he sneak through the setting fail2ban

/etc/fail2ban/jail.local

[hestia-iptables]
enabled  = true
filter   = hestia
action   = hestia[name=HESTIA]
logpath  = /var/log/hestia/auth.log
maxretry = 5

etc/fail2ban/jail.conf

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

How is the panel setting related and
why is it jail.local if indicates the time of detection 86400 (24h)
skips brute force attempts every 11 minutes

jail.local

[recidive]
enabled  = true
filter   = recidive
action   = hestia[name=RECIDIVE]
logpath  = /var/log/fail2ban.log
maxretry = 5
findtime = 86400
bantime  = 864000

Friends, help me understand
how to properly configure fail2ban
to block attempts to brute-force passwords,
for example in 15 minutes or more

Thank`s
With best regards

The category name “RECIDIVE” does not exist in HestiaCP yet. Maybe that’s why it doesn’t show bans. You can use an already used one:
action = hestia[name=HESTIA]

Or as I do, use an unused one so you can differentiate it in the list of blocked IPs:
action = hestia[name=DB]

Hmm
I have version 1.4.6 only installed in the morning.
The category “RECIDIVE” exist
/etc/fail2ban/jail.local

[ssh-iptables]
enabled  = true
filter   = sshd
action   = hestia[name=SSH]
logpath  = /var/log/auth.log
maxretry = 3

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = hestia[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 3

[exim-iptables]
enabled  = true
filter   = exim
action   = hestia[name=MAIL]
logpath  = /var/log/exim4/mainlog

[dovecot-iptables]
enabled  = true
filter   = dovecot
action   = hestia[name=MAIL]
logpath  = /var/log/dovecot.log

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = hestia[name=DB]
logpath  = /var/log/mysql.log
maxretry = 5

[hestia-iptables]
enabled  = true
filter   = hestia
action   = hestia[name=HESTIA]
logpath  = /var/log/hestia/auth.log
maxretry = 3

[roundcube-auth]
enabled  = false
filter   = roundcube-auth
action   = hestia[name=WEB]
logpath  = /var/log/roundcube/errors
maxretry = 5

[recidive]
enabled  = true
filter   = recidive
action   = hestia[name=RECIDIVE]
logpath  = /var/log/fail2ban.log
maxretry = 3
findtime = 86400
bantime  = 864000

It is copy/paste from default settings Hestia

How do I understand?
There is a category but it does not work
Or if the configuration file contains a category then it is
Please tell us more about this, please

Regards,

Activate the recidive jail and you will be fine

I’ve had HestiaCP installed for a couple of years now and I didn’t realise that “hestia[name=RECIDIVE]” is the default action.

What I am trying to explain is that if you try to ban an IP manually from the panel (https://sub.domain.tld:8083/add/firewall/banlist/), the category name “RECIDIVE” does not appear in the drop down menu. This could cause an error when adding a rule to the firewall, or it could be that the rule is added but then the panel does not show it in the list (https://sub.domain.tld:8083/list/firewall/banlist/).

Maybe the developers can correct me.

Translated with www.DeepL.com/Translator (free version)

The recidive rule should not be triggered manually because it is to ban repeat offenders.

What I am trying to find out is if using “hestia[name=RECIDIVE]” in recidive filter, then the name “RECIDIVE” appears in the “Comment” IPs list column banned by Fail2ban.

It could be the case that these IPs are banned but do not appear in the list on the web panel (https://sub.domain.tld:8083/list/firewall/banlist/).

jlguerrero: do they appear for you?


Yes! I can see the Recidive rule in action

Ok, thank you very much. Changed my recidive action line.