From 05c62b9f404715370f702e295c389f6074beadf2 Mon Sep 17 00:00:00 2001 From: erwiese <11369197+erwiese@users.noreply.github.com> Date: Fri, 13 Aug 2021 13:40:33 +0000 Subject: [PATCH] add documentation for defender scores (#500) Co-authored-by: Erwin Wiesensarter --- docs/defender.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/defender.md b/docs/defender.md index d703fbd5..e1e04913 100644 --- a/docs/defender.md +++ b/docs/defender.md @@ -4,7 +4,7 @@ The built-in `defender` allows you to configure an auto-blocking policy for SFTP If enabled it will protect SFTP, FTP and WebDAV services and it will automatically block hosts (IP addresses) that continually fail to log in or attempt to connect. -You can configure a score for each event type: +You can configure a score for the following events: - `score_valid`, defines the score for valid login attempts, eg. user accounts that exist. Default `1`. - `score_invalid`, defines the score for invalid login attempts, eg. non-existent user accounts or client disconnected for inactivity without authentication attempts. Default `2`. @@ -16,7 +16,9 @@ And then you can configure: - `threshold`, defines the threshold value before banning a host. - `ban_time`, defines the time to ban a client, as minutes -So a host is banned, for `ban_time` minutes, if it has exceeded the defined threshold during the last observation time minutes. +So a host is banned, for `ban_time` minutes, if the sum of the scores has exceeded the defined threshold during the last observation time minutes. + +Each event type can be weighted by an integer. If `score_invalid` is 3 and `threshold` is 8, it will be banned after 3 login attempts with an invalid user within the configured `observation_time`. A banned IP has no score, it makes no sense to accumulate host events in memory for an already banned IP address.