I read documentation for pike usage.. and have a doub.. what it's the best for very dinamyc ip of my devices.. i mean, i'm just curious of that very ironic and problematic scenario:
for the scanners i setup fail2ban but only when the scaning are detecte.. but if i have the pike option how this:
# this it's my setup for pike due the dinamyc ip and devices over the internet: modparam("pike", "sampling_time_unit", 4) modparam("pike", "reqs_density_per_unit", 80) modparam("pike", "remove_latency", 60) ... route { if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike block $rm from $fu (IP:$si:$sp)\n"); exit; } ... }
I put the remove latency in 60, so then due are dinamycally must remian in memory more (due any one will be a possible clilent), just ban if there are 180 (60*3) request each 4 seconds,
it's a good configuration or maybe i'm wrong please help me!