Most are using fail2ban to block ssh scans, but it can do a lot more for you. Due to it’s modular nature you can scan in almost every logfile for things you don’t like and block it.

If you look in /etc/fail2ban/filter.d/ you can see a lot of predefined filters for several mail or ftp servers. Mostly it tooks only one regular expression to block scans. Here for instance on qpopper pop3-servers:

/etc/fail2ban/filter.d/qpopper.conf

# Fail2Ban configuration file
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “<host>” can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = \(<HOST>\):\ -ERR\ \[AUTH\]
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


/etc/fail2ban/jail.conf

[qpopper]
enabled = true
port = pop3
filter = qpopper
logpath = /var/log/mail.log


This works for Debian Etch. For OpenSuSE look here.

Posted: März 21st, 2008 under Linux, Software.
Comments: none

• Attacking Log analysis tools - Wie man Leute mit SSH-Bruteforce Blockern wie Fail2ban & Co richtig ärgern und was man dagegen tun kann - via Nion
• mal eben zwei Computer transportieren… - Eine Sun e10k für Zuhause
• It’s Still the Latency, Stupid…pt.2 - Was man gegen Latenz-Probleme tun kann

Posted: Juni 7th, 2007 under Hardware, Netz, Sicherheit, Sun.
Comments: none