Im testing Immunify360 and note that it disables and replaces fail2ban. I like the herd immunity concept but am troubled by repeated login attempts with false usernames not getting added to the grey list. These incidents are listed with a severity level of 5.
I appreciate you are much smarter at detecting malicious actors than fail2ban, but still I would be happier if I could add these to the grey list, just as fail2ban would block them. My previous fail2ban setup would have locked these out.
I have changed the immunify260 config file to include
MOD_SEC_BLOCK_BY_SEVERITY:
check_period: 630
denied_num_limit: 2
enable: true
max_incidents: 2
severity_limit: 5
However still incidents with more than 2 attempts within the check period are not being grey listed.
Have I misunderstood the meaning of these variables?
Is this not possible in immunify360?
Thank you in advance