[Leaplist] fail2ban
Richard F. Ostrow Jr.
rich at warfaresdl.com
Tue Mar 9 13:13:30 EST 2010
A fork is better than a full syslog scan, especially if the fork puts up a
quick block on the IP so it doesn't bother you again
On Tue, March 9, 2010 9:58 am, Kevin Inscoe wrote:
> syslog-ng can be configured to execute commands although frankly I
> like the fail2ban script idea better you will have a lot of forks
> running from your syslogger probably not a good idea in general for
> something like attacks.
>
> On Tue, Mar 9, 2010 at 9:39 AM, Richard F. Ostrow Jr.
> <rich at warfaresdl.com> wrote:
>> Any chance this thing can be configured to respond to a command line
>> rather than scanning a log file? Syslog can be configured to send
>> syslog-ng can be configured
>> from any program (ex. sshd) to external applications (ex. fail2ban) so
>> it
>> doesn't have to do any "scanning" of my logs... I've been using that to
>> permanently ban IPs that fail to log on even once, but thus far have not
>> put enough intelligence in there to make it immune to my internal IPs
>> (apparently, attackers have been spoofing internal IPs to lock some of
>> my
>> internal machines out)
>> On Mon, March 8, 2010 6:53 pm, Phil Barnett wrote:
>>> I was looking for a solution to automatically firewall password
>>> guessing
>>> attacks to ssh my server and came across this interesting solution.
>>>
>>> By default, it runs as a service, it monitors logs and when it sees x
>>> number
>>> of failed attempts (defined by regex and x = 6 in the ssh monitor), it
>>> jails
>>> the IP for 600 seconds (also configurable). After 600 more seconds, it
>>> is
>>> removed from the jail.
>>>
>>> Today, it isolated and temporarily jailed 8 IP addresses.
>>>
>>> It was very easy to install and configure and comes with a variety of
>>> monitors already to go but turned off by default.
>>>
>>> When it jails the IP, it also fires off an email to me saying what it
>>> does
>>> along with a whois of the IP address.
>>>
>>> It appears to be very well designed and production ready in it's
>>> current
>>> state. I'm going to rate this one as a keeper. A+.
>>>
>>> http://www.fail2ban.org/
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> _______________________________________________
>>> Leaplist mailing list
>>> Leaplist at leap-cf.org
>>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>>
>>
>>
>> --
>> Life without passion is death in disguise
>>
>>
>> -----------------------------------------
>> This email was sent using SquirrelMail.
>> "Webmail for nuts!"
>> http://squirrelmail.org/
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> Leaplist mailing list
>> Leaplist at leap-cf.org
>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>
>
>
>
> --
> Kevin P. Inscoe http://kevininscoe.com
> Deltona, FL kevin [at] inscoe [dot] org
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist
>
--
Life without passion is death in disguise
-----------------------------------------
This email was sent using SquirrelMail.
"Webmail for nuts!"
http://squirrelmail.org/
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Leaplist
mailing list