Creating a fail2ban replacement
Should have an alpha preview on monday. Here's a quick overview
name: funyun
tag: hate security, love funyun
features:
* Expiring iptables bans
* Combines multiple logs from multiple servers to a central database - sync mode
* creates ip bans using combined data - sync mode
* supports snort, ssh, and mod_security logs, other formats can be added
[lists]provides a restful api that can be tied into the sync database
Why I'm making funyun:
We have 2 clusters all with separate log files. Some are from snort, others from mod_security, and all have sshd logs. We needed a simple way to combine all this log data so we can ban offenders at the gateway, enter funyun.
You can either post your logs here, or email me at: greg [at] halfgray [dot] com
Greg
6 Replies
Start with OSSEC and you'll be pretty much done.
ConfigServer firewall also does this stuff, except for central logging.
OSSEC is open source, so if there isn't an API you like, you could focus your efforts on that and contribute something to that larger community.
Fail2ban doesn't allow us to use All log data, both local and remote, for our ban lists on the gateway servers. Also it makes no sense to run fail2ban on the cluster machines because the user will not always hit the same machine.
I know its may sound similar to ossec, but I need something simple and light weight with minimal conf. Also it just has to work without having to learn another framework. lastly ossec is an ids, funyun just uses log data to block users. Ossec has been around for awhile, but again funyun is about our needs and hopefully it will help others.
I won't mention denyhosts as I think its already covered enough.
Were not reinventing the wheel so much as making something to meet our needs that may also help the community. There are other features we have slated that help combat spam, but in the end our main goal is use all log data from all clusters to secure the network.
Greg
* daemon
uses multiple logs from multiple servers
snort,mode_security, and sshd support
distributed log management (prunes logs after saving to sync server)
reactive bans (the more you attack the longer the ban, config controlled)
auto whitelisting (all ips on your server are whitelisted)
ban expirations (like fail2ban)
per key whitelisting (if a part of your network is blocked, it will only be blocked for others, not you)
currently only supports iptables
low memory footprint (my main focus is keeping this extremely light weight)
catches more sshd threats than fail2ban did
Here's whats pending:
* additional threat discovery sources using passive services (honeypot, stop forum spam, emerging threats)
whois lookup and provider notifacation
public sync server so the SU's can test it out.
some formula / method to allow public attack data submission.
benchmarks
documentation