Page 1 of 1
LF_INTERVAL simple question
Posted: 22 Dec 2013, 10:07
by kjg
Hi all,
It might be that Christmas is coming and my brain is more focus on Santa stuff instead of being able to read and understand the instructions, or that I am just TAU (tired as usual).
My problem is that I can't figure out if LF_INTERVAL is doing one or 2 things:
1) limiting the number of triggers accepted during the LF_INTERVAL number of seconds
2) setting the time between checks
Will increasing LF_INTERVAL from 300 to 1800 make the checks being done every 1800 seconds instead of every 300 seconds as well?
I want it to check every 300 seconds (or more often) but I want it to count the triggers for 1800 seconds back.
// kjg
Re: LF_INTERVAL simple question
Posted: 22 Dec 2013, 10:35
by ForumAdmin
Neither really
LF_INTERVAL is a rolling timeframe within which incidents are counted continually. If x incidents occur within LF_INTERVAL seconds then the event is triggered immediately (it doesn't wait until LF_INTERVAL seconds has passed before doing this). Decreasing LF_INTERVAL will mean that you will need a high rate of incidents per interval to trigger an event. Increasing LF_INTERVAL too much can mean that infrequent incidents (typified by user error, rather than attacking bots) can cause issues for some. The default value for LF_INTERVAL is 3600 (it was raised from 300 in v6.01) to cater for slow brute force login attempts.
Re: LF_INTERVAL simple question
Posted: 22 Dec 2013, 10:39
by kjg
Thank you!
That explanation was so crisp and clear that even I understood it
Will set it to 3600, since I really cant see any reason why it should be lower.
Thanks
// kjg
Re: LF_INTERVAL simple question
Posted: 29 Jan 2018, 10:51
by zmippie
I have a related question on LF_INTERVAL: is there significantly more processing overhead when you increase this "rolling timeframe"? I've detected a very slow brute-force attacker in my logs, and I'm not sure what value I'd have to set LF_INTERVAL to in order to block these:
2017-12-23 : 2295 secs
2017-12-24 : 63248 secs
2017-12-24 : 410 secs
2017-12-24 : 3936 secs
2017-12-24 : 441 secs
2017-12-24 : 4107 secs
2017-12-24 : 444 secs
2017-12-24 : 11871 secs
2017-12-24 : 831 secs
2017-12-24 : 7678 secs
2017-12-24 : 847 secs
2017-12-24 : 7747 secs
2017-12-24 : 859 secs
2017-12-25 : 39081 secs
2017-12-25 : 862 secs
2017-12-25 : 8025 secs
2017-12-25 : 889 secs
2017-12-25 : 7963 secs
2017-12-25 : 875 secs
2017-12-25 : 14386 secs
2017-12-25 : 864 secs
2017-12-25 : 7907 secs
2017-12-25 : 869 secs
2017-12-26 : 7922 secs
2017-12-26 : 872 secs
2017-12-26 : 34895 secs
2017-12-26 : 855 secs
2017-12-26 : 7895 secs
2017-12-26 : 895 secs
2017-12-26 : 7971 secs
2017-12-26 : 877 secs
2017-12-26 : 7988 secs
2017-12-26 : 874 secs
etc...
I have my LF_INTERVAL set to the default 3600 seconds, but this attacker stayed under the radar by spreading the attempts out.