Well, my company's main business is shared hosting and we do host hundreths of websites with thousands of email accounts on dual core servers.
A php script scans maillog (pop) and eximlog (smtp) for every minute, while another one scans xferlog (ftp) and authlog (ssh) for every 3 minutes. We flush (reset) ipfw firewall rules for every 4 hours.
It does not cause load, or we haven't noticed untill now.Why php? Well this is because i'm personally a (advanced) php script designer and mysql database administrator. I'm not really good at C++, maybe beginner. I call php to read all log files.
Regards, Steven M. Bellovin, 10/16/08 16:14:
On Thu, 16 Oct 2008 13:59:50 +0300 Cem Kayali <cemkayali%eticaret.com.tr@localhost> wrote:Well, if someone interested in, i have custom created 'php script' run by a cron job and scans auth.log and then creates firewall ruleif it detects brute force attacks and/or certain number of incorrect authentiacations. It clears all rules occasionally. It may scan other ports as well, such as pop, smtp, ftp.Does it actually help? I'd say that that boils down to how long the attacks last, versus how often you run the script. --Steve Bellovin, http://www.cs.columbia.edu/~smb