[165347] in North American Network Operators' Group
Re: Parsing Syslog and Acting on it, using other input too
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Fri Aug 30 10:00:57 2013
In-Reply-To: <d98958a2-dc6d-45a9-8ddc-479075c1fe35@email.android.com>
Date: Fri, 30 Aug 2013 10:00:06 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Shawn Wilson <ag4ve.us@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Aug 30, 2013 at 8:55 AM, Shawn Wilson <ag4ve.us@gmail.com> wrote:
>
>
> Christopher Morrow <morrowc.lists@gmail.com> wrote:
>>On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder <don.wilder@gmail.com>
>>wrote:
>>> I wrote a script in Linux that watches for unauthorized login
>>attempts and
>>> adds the ip address to the blocked list in my firewall. You might
>>want to
>>> search sourceforge for a DYN Firewall and modify it from there.
>>>
>>
>>because fail2ban was too hard to install? or because you just wanted
>>to test yourself?
>
> Actually I did the same. I use ipset lists (generally with a timeout) and=
take a regex or two and black / white list from a YAML file and just take =
(possibly multiple inputs) from piping tail -F. I also store addresses for =
future reference (by the script or otherwise).
>
> This is quite maintainable as I can look at a list of people who have att=
acked the mail server and compare it to web attacks. Each process is a diff=
erent type of service (different config file) and probably a different ipse=
t. Due to ipset not actually doing anything until I make an iptables rule f=
or it, I can run my script in a test mode (by default) and just see what ha=
ppens (check it's logs and the ipset list it generates). I haven't found th=
e need for this yet but I can use cymru to look up how big their net is (se=
e geocidr for an example of how to do this in perl) and use a hash:net ipse=
t type and cover a whole net.
>
> Basically what I'm saying in doing it this way is quite expandable and is=
n't very hard and I can do tons of stuff that fail2ban can't (I don't think=
- it's been a while since I looked).
you seem to be describing what fail2ban does... that and some grep of
syslog for fail2ban messages. If your solution works then great! :)
