[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: fail2ban-like tool ?
"Manuel Bouyer" <bouyer%antioche.eu.org@localhost> wrote:
> I have a centralized log server, and I'd like to have a real-time
> analysis tool to block the bad guys at the router level.
> I looked at fail2ban and it looks like it could do the job, but
> maybe there's some other tools I'm not awayre of.
> What are you guys using for this kind of job ?
I use a PF macro found in a howto called "Cleaning up the backyard". It seems
to be unavailable right now. Extracted from Google cache:
“grind” option will be used on sensitive services where outsiders
grinding logins should not be allowed, brute forcing SSH or MYSQL
logins for example. It translates to say that any source can only
have a total of three connections, and they may not create them at a
rate faster than two every five minutes. If they do, they will be
added to the abusers table and every packet/session will be globally
dropped. “grind” is only the name of the macro and could be any string
grind="(max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload <abusers> flush
This mostly protects against dictionnary attacks, login with public/private
keys only makes it better. There's no analysis/report of the logs, though, I'm
not sure how important it is to you. Last, I use this with OpenBSD's PF
version, but I would expect the portable version to accept it as well.
Main Index |
Thread Index |