Re: fail2ban vs. syslogd compression
On Tue, Aug 28, 2007 at 12:43:10PM +0200, Maxim Kammerer wrote:
> Hello everybody,
> I believe this belongs to the security-mailing list. I recently took a
> server online and it was immediately hit by pop3-cracking attempts. Well,
> they were quite stupid, since they were attempting once for each name taken
> from a 'frequent names list', so I guess somebody was looking for
> non-password protected accounts. However, being annoyed, I wanted to tweak
> fail2ban, which I am already using for ssh, to pop3 and imap, too. No
> problem, standard debian /etc/fail2ban/jail.conf issue has the relevant
> sections, so I went ahead.
> But then I ran a test, and fail2ban didn't respond. The reason was that I
> hit the server 5 times (my fail2ban max-retry) in quite a short time, so
> instead of logging 'pop3: login failed <host>' 5 times to mail.log, it
> logged the message once and afterwards issued 'last message repeated 4
> times', which is not helpful at all to fail2ban. However, I consider it a
> realworld scenario that a cracker/script kiddy would hit the server in a
> short time.
> I then sought to disable this kind of log compression, but it is not stated
> in the man pages how to do that. While the freebsd syslogd seems to have
> such a commandline switch (-c -c ), the syslogd shipped with debian doesn't
> have it, and syslogd-ng seems to not have it, either.
> So I ended up with not knowing what to do and turned to the debian security
> list. you people have any idea, or what are you doing?
Wouldn't a better option be to teach fail2ban how to parse the "last
message repeated".. messages?