Hi all,
It might be that Christmas is coming and my brain is more focus on Santa stuff instead of being able to read and understand the instructions, or that I am just TAU (tired as usual).
My problem is that I can't figure out if LF_INTERVAL is doing one or 2 things:
1) limiting the number of triggers accepted during the LF_INTERVAL number of seconds
2) setting the time between checks
Will increasing LF_INTERVAL from 300 to 1800 make the checks being done every 1800 seconds instead of every 300 seconds as well?
I want it to check every 300 seconds (or more often) but I want it to count the triggers for 1800 seconds back.
// kjg
LF_INTERVAL simple question
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: LF_INTERVAL simple question
Neither really 
LF_INTERVAL is a rolling timeframe within which incidents are counted continually. If x incidents occur within LF_INTERVAL seconds then the event is triggered immediately (it doesn't wait until LF_INTERVAL seconds has passed before doing this). Decreasing LF_INTERVAL will mean that you will need a high rate of incidents per interval to trigger an event. Increasing LF_INTERVAL too much can mean that infrequent incidents (typified by user error, rather than attacking bots) can cause issues for some. The default value for LF_INTERVAL is 3600 (it was raised from 300 in v6.01) to cater for slow brute force login attempts.
LF_INTERVAL is a rolling timeframe within which incidents are counted continually. If x incidents occur within LF_INTERVAL seconds then the event is triggered immediately (it doesn't wait until LF_INTERVAL seconds has passed before doing this). Decreasing LF_INTERVAL will mean that you will need a high rate of incidents per interval to trigger an event. Increasing LF_INTERVAL too much can mean that infrequent incidents (typified by user error, rather than attacking bots) can cause issues for some. The default value for LF_INTERVAL is 3600 (it was raised from 300 in v6.01) to cater for slow brute force login attempts.
Re: LF_INTERVAL simple question
Thank you!
That explanation was so crisp and clear that even I understood it
Will set it to 3600, since I really cant see any reason why it should be lower.
Thanks
// kjg
That explanation was so crisp and clear that even I understood it
Will set it to 3600, since I really cant see any reason why it should be lower.
Thanks
// kjg
Re: LF_INTERVAL simple question
I have a related question on LF_INTERVAL: is there significantly more processing overhead when you increase this "rolling timeframe"? I've detected a very slow brute-force attacker in my logs, and I'm not sure what value I'd have to set LF_INTERVAL to in order to block these:
2017-12-23 : 2295 secs
2017-12-24 : 63248 secs
2017-12-24 : 410 secs
2017-12-24 : 3936 secs
2017-12-24 : 441 secs
2017-12-24 : 4107 secs
2017-12-24 : 444 secs
2017-12-24 : 11871 secs
2017-12-24 : 831 secs
2017-12-24 : 7678 secs
2017-12-24 : 847 secs
2017-12-24 : 7747 secs
2017-12-24 : 859 secs
2017-12-25 : 39081 secs
2017-12-25 : 862 secs
2017-12-25 : 8025 secs
2017-12-25 : 889 secs
2017-12-25 : 7963 secs
2017-12-25 : 875 secs
2017-12-25 : 14386 secs
2017-12-25 : 864 secs
2017-12-25 : 7907 secs
2017-12-25 : 869 secs
2017-12-26 : 7922 secs
2017-12-26 : 872 secs
2017-12-26 : 34895 secs
2017-12-26 : 855 secs
2017-12-26 : 7895 secs
2017-12-26 : 895 secs
2017-12-26 : 7971 secs
2017-12-26 : 877 secs
2017-12-26 : 7988 secs
2017-12-26 : 874 secs
etc...
I have my LF_INTERVAL set to the default 3600 seconds, but this attacker stayed under the radar by spreading the attempts out.
2017-12-23 : 2295 secs
2017-12-24 : 63248 secs
2017-12-24 : 410 secs
2017-12-24 : 3936 secs
2017-12-24 : 441 secs
2017-12-24 : 4107 secs
2017-12-24 : 444 secs
2017-12-24 : 11871 secs
2017-12-24 : 831 secs
2017-12-24 : 7678 secs
2017-12-24 : 847 secs
2017-12-24 : 7747 secs
2017-12-24 : 859 secs
2017-12-25 : 39081 secs
2017-12-25 : 862 secs
2017-12-25 : 8025 secs
2017-12-25 : 889 secs
2017-12-25 : 7963 secs
2017-12-25 : 875 secs
2017-12-25 : 14386 secs
2017-12-25 : 864 secs
2017-12-25 : 7907 secs
2017-12-25 : 869 secs
2017-12-26 : 7922 secs
2017-12-26 : 872 secs
2017-12-26 : 34895 secs
2017-12-26 : 855 secs
2017-12-26 : 7895 secs
2017-12-26 : 895 secs
2017-12-26 : 7971 secs
2017-12-26 : 877 secs
2017-12-26 : 7988 secs
2017-12-26 : 874 secs
etc...
I have my LF_INTERVAL set to the default 3600 seconds, but this attacker stayed under the radar by spreading the attempts out.