need decent documentation for fail2ban / dshield integration
110 views
Skip to first unread message
Adam Spiers
Sep 16, 2013, 7:27:08 AM9/16/13
to iscds...@googlegroups.com
Hi there,
I would happily configure my fail2ban installation to forward data to dshield if there were easily understandable instructions for how to do this. The dshield website doesn't even mention it as a client on https://secure.dshield.org/howto.html - and the fail2ban documentation for the dshield action plugin is too lightweight to be useful. Perhaps the dshield and fail2ban people could collaborate to fix this?
Thanks,
Adam
Mike Hale
Sep 16, 2013, 11:37:47 PM9/16/13
to iscds...@googlegroups.com
Well, fail2ban isn't a firewall...exporting those logs wouldn't be
much help. You want to export your iptables logs.
> --
> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security
> Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "SANS Internet Storm Center / DShield" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to iscdshield+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
much help. You want to export your iptables logs.
> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security
> Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "SANS Internet Storm Center / DShield" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to iscdshield+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Tom Byrnes
Sep 17, 2013, 1:57:25 AM9/17/13
to iscds...@googlegroups.com
I disagree.
Denyhosts is a very effective datasource for blocking.
Fail2ban works the same way, but for more authentication mechanisms.
If you apply the DShield method: correlate the same attacker across multiple sites and then block if it exceeds the threshold, it could be very effective.
ThreatSTOP are actually working on a way to be the aggregator and correlator for fail2ban.
It's not as simple as with denyhosts, which is strictly for ssh logins, since fail2ban is for multiple targets, and not everyone cares who is trying to exploit every target type, but it is useful, IMNSHO.
Denyhosts is a very effective datasource for blocking.
Fail2ban works the same way, but for more authentication mechanisms.
If you apply the DShield method: correlate the same attacker across multiple sites and then block if it exceeds the threshold, it could be very effective.
ThreatSTOP are actually working on a way to be the aggregator and correlator for fail2ban.
It's not as simple as with denyhosts, which is strictly for ssh logins, since fail2ban is for multiple targets, and not everyone cares who is trying to exploit every target type, but it is useful, IMNSHO.
Reply all
Reply to author
Forward
0 new messages