0

Last years i use perfect software denyhosts for analyze logs and deny access if some ip address have 3 or more unsuccess logins.

I like that, but problem is - too much CPU/memory consuption for my weak computers.

May be some software without interpetator will be more good.

Can you suggest?

sysadmin1138
  • 134,165
Korjavin Ivan
  • 2,270
  • 1
    If denyhosts is using too much CPU/RAM, you really need better servers... – ceejayoz Jan 05 '12 at 20:59
  • well, yes in absolute values its not so much. But last time some my computers with secondary tasks have big LoadAverage and eat all memory.

    I just wonder, what if exist some software C/perl software with 1M used memory, it will be cool. For me task parse log and write line into hosts.deny looks trivial, and i not sure that entire python needed in memory.

    Also i like unification, i use puppet for all my servers and want universal solutions for all comps include weak.

     – Korjavin Ivan Jan 05 '12 at 21:19

3 Answers3

0

Try looking at fail2ban. and/or... rotate your logs so they don't get too big to analyze.

TheCompWiz
  • 7,479
0

if you're running OpenBSD (or have a firewall somewhere in front of the machine in question), you could use pf(4) (or the equivalent for other firewall tools, e.g. iptables/ipchains) to block access to a given IP address for an arbitrary amount of time after an arbitrary number of failed login attempts.

actually, if CPU/RAM usage of denyhosts is causing you issues, you may want to switch to OpenBSD anyway for an OS that runs well on older hardware out of the box. see http://www.nmedia.net/flashdist/

darkuncle
  • 61
  • I use freebsd and debian boxes, and know nothing about openbsd. Problem with python is - some java apps on my comps like eat all memory, and permanent swap makes me mad. – Korjavin Ivan Jan 05 '12 at 21:21
  • iptables/ipchains will have no way to identify a "failed" login. It can limit connection attempts... but it has no way to identify the contents of a packet. – TheCompWiz Jan 05 '12 at 21:23
  • pf(4) can in fact identify a failed login (via ssh anyway; if we're talking about logins to a web service or authentication via e.g. htpasswd, that's a different story). Other firewalling software may not be so comprehensive. :) – darkuncle Jan 05 '12 at 21:27
  • how much CPU/RAM is your python denyhosts process using, anyway? and for log rotation, were you using the standard log rotation facility (in FreeBSD, it's /etc/newsyslog.conf, or at least it was a few years ago)? finally: pf(4) has been part of FreeBSD's base install since 2004. see http://www.freebsd.org/doc/handbook/firewalls-pf.html – darkuncle Jan 05 '12 at 21:30
0

If you are worried about load on your servers, then it certainly seems like it should be possible to setup syslog to send your logs off to some other system in the path. I can't give you the exact details, but it certainly seems like it should be possible to have all your logs gather to a central up-stream host which will perform any required intrusion prevent steps.

You can also setup iptables on the box to rate limit the number of connections. This in addition or in place of denyhosts/fail2ban should cut down on a lot on what those apps need to actually respond to.

See: Hundreds of failed ssh logins

Community
  • 1
Zoredache
  • 131,987