Re: fail2ban-like tool ?

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Thu, Sep 29, 2011 at 02:15:53PM +0200, Étienne wrote:
> "Manuel Bouyer" <bouyer%antioche.eu.org@localhost> wrote:
> 
> > Hello,
> > I have a centralized log server, and I'd like to have a real-time
> > analysis tool to block the bad guys at the router level.
> > I looked at fail2ban and it looks like it could do the job, but
> > maybe there's some other tools I'm not awayre of.
> > What are you guys using for this kind of job ?
> 
> I use a PF macro found in a howto called "Cleaning up the backyard". It seems 
> to be unavailable right now. Extracted from Google cache:
> 
>     ?grind? option will be used on sensitive services where outsiders
>     grinding logins should not be allowed, brute forcing SSH or MYSQL
>     logins for example. It translates to say that any source can only
>     have a total of three connections, and they may not create them at a
>     rate faster than two every five minutes. If they do, they will be
>     added to the abusers table and every packet/session will be globally
>     dropped. ?grind? is only the name of the macro and could be any string
>     desired.
> 
>     grind="(max?src?conn 3, max?src?conn?rate 2/5, overload <abusers> flush 
> global)" 
> 
> This mostly protects against dictionnary attacks, login with public/private 
> keys only makes it better. There's no analysis/report of the logs, though, 
> I'm not sure how important it is to you. Last, I use this with OpenBSD's PF 
> version, but I would expect the portable version to accept it as well.


that won't work for what I have in mind. You can't restrict access to
a web server, yet I want to block attacks against it (webmail mostly,
but also the other login boxes you can find on typical web tools today)

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--