Re: fail2ban-like tool ?

To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: fail2ban-like tool ?
From: Étienne <ml%magickarpet.org@localhost>
Date: Thu, 29 Sep 2011 14:15:53 +0200 (CEST)

"Manuel Bouyer" <bouyer%antioche.eu.org@localhost> wrote:

> Hello,
> I have a centralized log server, and I'd like to have a real-time
> analysis tool to block the bad guys at the router level.
> I looked at fail2ban and it looks like it could do the job, but
> maybe there's some other tools I'm not awayre of.
> What are you guys using for this kind of job ?

I use a PF macro found in a howto called "Cleaning up the backyard". It seems 
to be unavailable right now. Extracted from Google cache:

    “grind” option will be used on sensitive services where outsiders
    grinding logins should not be allowed, brute forcing SSH or MYSQL
    logins for example. It translates to say that any source can only
    have a total of three connections, and they may not create them at a
    rate faster than two every five minutes. If they do, they will be
    added to the abusers table and every packet/session will be globally
    dropped. “grind” is only the name of the macro and could be any string
    desired.

    grind="(max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload <abusers> flush 
global)" 

This mostly protects against dictionnary attacks, login with public/private 
keys only makes it better. There's no analysis/report of the logs, though, I'm 
not sure how important it is to you. Last, I use this with OpenBSD's PF 
version, but I would expect the portable version to accept it as well.

Regards,

-- 
Étienne

Follow-Ups:
- Re: fail2ban-like tool ?
  - From: Manuel Bouyer

Prev by Date: Re: fail2ban-like tool ?
Next by Date: Re: current kernel + userland just resets
Previous by Thread: Re: fail2ban-like tool ?
Next by Thread: Re: fail2ban-like tool ?
Indexes:

Home | Main Index | Thread Index | Old Index