"Attempts" are part of being connected to the outside word. Most folk don't see them so they incorrectly assume they are not happening; they are. I'm told most are the bot networks/infected machines. Trick is to allow a typo for you or someone you want to allow in without locking them out, yet block those out there who are trying to guess userids & passwords.
There's a setting in jail.local that determines how many failed attempts will cause the i.p. to be ignored/locked out. I've set mine for two:
You can also specify a specific maxretry inside a section to over-ride the general setting for that particular protocol.
---
As to the question about CentOS7 version effectiveness ... it'll show up in your logs when it blocks someone. You can always enable emails (bottom of fail2ban.local),
example:
Code: Select all
[MAIL]
enabled = true
to = me@myemail.com
then define the settings for the email in each of the sections that you are using in jail.local.
example in my ssh section:
Code: Select all
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=me@myemail.com, sender=fail2ban@example.com, sendername="Fail2Ban machinename"]
logpath = /var/log/secure
maxretry = 1
Of course, after the edits: