[Leaplist] fail2ban
Kevin Korb
kmk at sanitarium.net
Tue Mar 9 13:35:21 EST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ours works as a pipe. The sshd logs are piped through it so there is
only 1 process and it only has to look at the data as the data comes in.
On 03/09/10 13:29, Richard F. Ostrow Jr. wrote:
> Hmm... I'm actually tempted to write something that actually does this
> properly (ie, via a CLI that syslog can deal with directly, rather than
> this stupid "I'm going to parse the whole log file every second, no matter
> how large the log is and eat up all your processing time!" approach that
> fail2ban uses). This really should be using a "push" pattern rather than a
> "pull" pattern... it's just stupid going the other way.
> On Tue, March 9, 2010 1:13 pm, Richard F. Ostrow Jr. wrote:
>> A fork is better than a full syslog scan, especially if the fork puts up a
>> quick block on the IP so it doesn't bother you again
>> On Tue, March 9, 2010 9:58 am, Kevin Inscoe wrote:
>>> syslog-ng can be configured to execute commands although frankly I
>>> like the fail2ban script idea better you will have a lot of forks
>>> running from your syslogger probably not a good idea in general for
>>> something like attacks.
>>>
>>> On Tue, Mar 9, 2010 at 9:39 AM, Richard F. Ostrow Jr.
>>> <rich at warfaresdl.com> wrote:
>>>> Any chance this thing can be configured to respond to a command line
>>>> rather than scanning a log file? Syslog can be configured to send
>>>> syslog-ng can be configured
>>>> from any program (ex. sshd) to external applications (ex. fail2ban) so
>>>> it
>>>> doesn't have to do any "scanning" of my logs... I've been using that to
>>>> permanently ban IPs that fail to log on even once, but thus far have
>>>> not
>>>> put enough intelligence in there to make it immune to my internal IPs
>>>> (apparently, attackers have been spoofing internal IPs to lock some of
>>>> my
>>>> internal machines out)
>>>> On Mon, March 8, 2010 6:53 pm, Phil Barnett wrote:
>>>>> I was looking for a solution to automatically firewall password
>>>>> guessing
>>>>> attacks to ssh my server and came across this interesting solution.
>>>>>
>>>>> By default, it runs as a service, it monitors logs and when it sees x
>>>>> number
>>>>> of failed attempts (defined by regex and x = 6 in the ssh monitor), it
>>>>> jails
>>>>> the IP for 600 seconds (also configurable). After 600 more seconds, it
>>>>> is
>>>>> removed from the jail.
>>>>>
>>>>> Today, it isolated and temporarily jailed 8 IP addresses.
>>>>>
>>>>> It was very easy to install and configure and comes with a variety of
>>>>> monitors already to go but turned off by default.
>>>>>
>>>>> When it jails the IP, it also fires off an email to me saying what it
>>>>> does
>>>>> along with a whois of the IP address.
>>>>>
>>>>> It appears to be very well designed and production ready in it's
>>>>> current
>>>>> state. I'm going to rate this one as a keeper. A+.
>>>>>
>>>>> http://www.fail2ban.org/
>>>>>
>>>>> --
>>>>> This message has been scanned for viruses and
>>>>> dangerous content by MailScanner, and is
>>>>> believed to be clean.
>>>>>
>>>>> _______________________________________________
>>>>> Leaplist mailing list
>>>>> Leaplist at leap-cf.org
>>>>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>>>>
>>>>
>>>>
>>>> --
>>>> Life without passion is death in disguise
>>>>
>>>>
>>>> -----------------------------------------
>>>> This email was sent using SquirrelMail.
>>>> "Webmail for nuts!"
>>>> http://squirrelmail.org/
>>>>
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> _______________________________________________
>>>> Leaplist mailing list
>>>> Leaplist at leap-cf.org
>>>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>>>
>>>
>>>
>>>
>>> --
>>> Kevin P. Inscoe http://kevininscoe.com
>>> Deltona, FL kevin [at] inscoe [dot] org
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> _______________________________________________
>>> Leaplist mailing list
>>> Leaplist at leap-cf.org
>>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>>
>>
>>
>> --
>> Life without passion is death in disguise
>>
>>
>> -----------------------------------------
>> This email was sent using SquirrelMail.
>> "Webmail for nuts!"
>> http://squirrelmail.org/
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> Leaplist mailing list
>> Leaplist at leap-cf.org
>> http://lists.leap-cf.org/mailman/listinfo/leaplist
>>
>
>
- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Kevin Korb Phone: (407) 252-6853
Systems Administrator Internet:
FutureQuest, Inc. Kevin at FutureQuest.net (work)
Orlando, Florida kmk at sanitarium.net (personal)
Web page: http://www.sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuWlOkACgkQVKC1jlbQAQfRmgCdEE16XdrtLWLKVxzdH1XDFkk0
GGsAn2z8Kr4EpYGr69m6ng3yATzlTQ0N
=IYAL
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Leaplist
mailing list