nanog mailing list archives

Re: Parsing Syslog and Acting on it, using other input too

From: shawn wilson <ag4ve.us () gmail com>
Date: Fri, 30 Aug 2013 11:17:37 -0400

Ah it seems they do:
https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-ipset-proto6.conf

IDK enough about fail2ban to know whether I can assign a per proto or per
log type config (I assume I can). In which casethis does what my script
does and then some. I would probably dump out a ipset save on exit and try
to 'restore' on resume (which /I/ do) and I'm sure there's a way fail2ban
can check a store of addresses and check what network a host belongs to
(instead of just a host).

So, fail2ban is probably the way to go.


On Fri, Aug 30, 2013 at 10:00 AM, Christopher Morrow <
morrowc.lists () gmail com> wrote:

On Fri, Aug 30, 2013 at 8:55 AM, Shawn Wilson <ag4ve.us () gmail com> wrote:



Christopher Morrow <morrowc.lists () gmail com> wrote:

On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder <don.wilder () gmail com>
wrote:

I wrote a script in Linux that watches for unauthorized login

attempts and

adds the ip address to the blocked list in my firewall. You might

want to

search sourceforge for a DYN Firewall and modify it from there.


because fail2ban was too hard to install? or because you just wanted
to test yourself?


Actually I did the same. I use ipset lists (generally with a timeout)

and take a regex or two and black / white list from a YAML file and just
take (possibly multiple inputs) from piping tail -F. I also store addresses
for future reference (by the script or otherwise).


This is quite maintainable as I can look at a list of people who have

attacked the mail server and compare it to web attacks. Each process is a
different type of service (different config file) and probably a different
ipset. Due to ipset not actually doing anything until I make an iptables
rule for it, I can run my script in a test mode (by default) and just see
what happens (check it's logs and the ipset list it generates). I haven't
found the need for this yet but I can use cymru to look up how big their
net is (see geocidr for an example of how to do this in perl) and use a
hash:net ipset type and cover a whole net.


Basically what I'm saying in doing it this way is quite expandable and

isn't very hard and I can do tons of stuff that fail2ban can't (I don't
think - it's been a while since I looked).

you seem to be describing what fail2ban does... that and some grep of
syslog for fail2ban messages. If your solution works then great! :)

Current thread:

Re: Parsing Syslog and Acting on it, using other input too, (continued)
- - - Re: Parsing Syslog and Acting on it, using other input too Charles N Wyble (Aug 29)
  - Re: Parsing Syslog and Acting on it, using other input too Sam Moats (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Blake Dunlap (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Dobbins, Roland (Aug 29)
- RE: Parsing Syslog and Acting on it, using other input too Thijs Stuurman (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Mike Tancsa (Aug 29)
  - Re: Parsing Syslog and Acting on it, using other input too Don Wilder (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Christopher Morrow (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Shawn Wilson (Aug 30)
    - Re: Parsing Syslog and Acting on it, using other input too Christopher Morrow (Aug 30)
    - Re: Parsing Syslog and Acting on it, using other input too shawn wilson (Aug 30)
- Re: Parsing Syslog and Acting on it, using other input too Gino O'Donnell (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Carlos Alcantar (Aug 29)
  - Re: Parsing Syslog and Acting on it, using other input too chip (Aug 29)