[Leaplist] fail2ban

Richard F. Ostrow Jr. rich at warfaresdl.com
Tue Mar 9 13:29:38 EST 2010 

Hmm... I'm actually tempted to write something that actually does this
properly (ie, via a CLI that syslog can deal with directly, rather than
this stupid "I'm going to parse the whole log file every second, no matter
how large the log is and eat up all your processing time!" approach that
fail2ban uses). This really should be using a "push" pattern rather than a
"pull" pattern... it's just stupid going the other way.
On Tue, March 9, 2010 1:13 pm, Richard F. Ostrow Jr. wrote:
> A fork is better than a full syslog scan, especially if the fork puts up a
> quick block on the IP so it doesn't bother you again
> On Tue, March 9, 2010 9:58 am, Kevin Inscoe wrote:
>> syslog-ng can be configured to execute commands although frankly I
>> like the fail2ban script idea better you will have a lot of forks
>> running from your syslogger probably not a good idea in general for
>> something like attacks.
>>
>> On Tue, Mar 9, 2010 at 9:39 AM, Richard F. Ostrow Jr.
>> <rich at warfaresdl.com> wrote:
>>> Any chance this thing can be configured to respond to a command line
>>> rather than scanning a log file? Syslog can be configured to send
>>> syslog-ng can be configured
>>> from any program (ex. sshd) to external applications (ex. fail2ban) so
>>> it
>>> doesn't have to do any "scanning" of my logs... I've been using that to
>>> permanently ban IPs that fail to log on even once, but thus far have
>>> not
>>> put enough intelligence in there to make it immune to my internal IPs
>>> (apparently, attackers have been spoofing internal IPs to lock some of
>>> my
>>> internal machines out)
>>> On Mon, March 8, 2010 6:53 pm, Phil Barnett wrote:
>>>> I was looking for a solution to automatically firewall password
>>>> guessing
>>>> attacks to ssh my server and came across this interesting solution.
>>>>
>>>> By default, it runs as a service, it monitors logs and when it sees x
>>>> number
>>>> of failed attempts (defined by regex and x = 6 in the ssh monitor), it
>>>> jails
>>>> the IP for 600 seconds (also configurable). After 600 more seconds, it
>>>> is
>>>> removed from the jail.
>>>>
>>>> Today, it isolated and temporarily jailed 8 IP addresses.
>>>>
>>>> It was very easy to install and configure and comes with a variety of
>>>> monitors already to go but turned off by default.
>>>>
>>>> When it jails the IP, it also fires off an email to me saying what it
>>>> does
>>>> along with a whois of the IP address.
>>>>
>>>> It appears to be very well designed and production ready in it's
>>>> current
>>>> state. I'm going to rate this one as a keeper. A+.
>>>>
>>>> http://www.fail2ban.org/
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> _______________________________________________
>>>> Leaplist mailing list
>>>> Leaplist at leap-cf.org
>>>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>>>
>>>
>>>
>>> --
>>> Life without passion is death in disguise
>>>
>>>
>>> -----------------------------------------
>>> This email was sent using SquirrelMail.
>>>   "Webmail for nuts!"
>>> http://squirrelmail.org/
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> _______________________________________________
>>> Leaplist mailing list
>>> Leaplist at leap-cf.org
>>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>>
>>
>>
>>
>> --
>> Kevin P. Inscoe      http://kevininscoe.com
>> Deltona, FL        kevin [at] inscoe [dot] org
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> Leaplist mailing list
>> Leaplist at leap-cf.org
>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>
>
>
> --
> Life without passion is death in disguise
>
>
> -----------------------------------------
> This email was sent using SquirrelMail.
>    "Webmail for nuts!"
> http://squirrelmail.org/
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist
>


-- 
Life without passion is death in disguise


-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list