NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: fail2ban-like tool ?

"Manuel Bouyer" <> wrote:

> Hello,
> I have a centralized log server, and I'd like to have a real-time
> analysis tool to block the bad guys at the router level.
> I looked at fail2ban and it looks like it could do the job, but
> maybe there's some other tools I'm not awayre of.
> What are you guys using for this kind of job ?

I use a PF macro found in a howto called "Cleaning up the backyard". It seems 
to be unavailable right now. Extracted from Google cache:

    “grind” option will be used on sensitive services where outsiders
    grinding logins should not be allowed, brute forcing SSH or MYSQL
    logins for example. It translates to say that any source can only
    have a total of three connections, and they may not create them at a
    rate faster than two every five minutes. If they do, they will be
    added to the abusers table and every packet/session will be globally
    dropped. “grind” is only the name of the macro and could be any string

    grind="(max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload <abusers> flush 

This mostly protects against dictionnary attacks, login with public/private 
keys only makes it better. There's no analysis/report of the logs, though, I'm 
not sure how important it is to you. Last, I use this with OpenBSD's PF 
version, but I would expect the portable version to accept it as well.



Home | Main Index | Thread Index | Old Index