[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

fail2ban vs. syslogd compression

Hello everybody, 

I believe this belongs to the security-mailing list. I recently took a
server online and it was immediately hit by pop3-cracking attempts. Well,
they were quite stupid, since they were attempting once for each name taken
from a 'frequent names list', so I guess somebody was looking for
non-password protected accounts. However, being annoyed, I wanted to tweak
fail2ban, which I am already using for ssh, to pop3 and imap, too. No
problem, standard debian /etc/fail2ban/jail.conf issue has the relevant
sections, so I went ahead.

But then I ran a test, and fail2ban didn't respond. The reason was that I
hit the server 5 times (my fail2ban max-retry) in quite a short time, so
instead of logging 'pop3: login failed <host>' 5 times  to mail.log, it
logged the message once and afterwards issued 'last message repeated 4
times', which is not helpful at all to fail2ban. However, I consider it a
realworld scenario that a cracker/script kiddy would hit the server in a
short time.

I then sought to disable this kind of log compression, but it is not stated
in the man pages how to do that. While the freebsd syslogd seems to have
such a commandline switch (-c -c ), the syslogd shipped with debian doesn't
have it, and syslogd-ng seems to not have it, either.

So I ended up with not knowing what to do and turned to the debian security
list. you people have any idea, or what are you doing?

kind regards


Reply to: