Creating a fail2ban replacement

I'm spending the weekend creating a replacement for fail2ban. I need mod_security and ssh logs from other people / platforms to make sure our regex's will work for everyone.

Should have an alpha preview on monday. Here's a quick overview

name: funyun

tag: hate security, love funyun

features:
* Expiring iptables bans
* Combines multiple logs from multiple servers to a central database - sync mode
* creates ip bans using combined data - sync mode
* supports snort, ssh, and mod_security logs, other formats can be added
[lists]provides a restful api that can be tied into the sync database

Why I'm making funyun:

We have 2 clusters all with separate log files. Some are from snort, others from mod_security, and all have sshd logs. We needed a simple way to combine all this log data so we can ban offenders at the gateway, enter funyun.

You can either post your logs here, or email me at: greg [at] halfgray [dot] com

Greg

6 Replies

why reinvent the wheel? fail2ban works great.

Sounds like your real need might be to consolidate the logs from various machines onto the one serving as the gateway. Something like syslog-ng can be set up to do this.

What language are you using? The main problem I have with fail2ban is that it's sort of a pig on a vps. I'd definitely switch to a lightweight daemon written in C.

I like your feature list, but it seems like a "Not Invented Here" kind of thing.

Start with OSSEC and you'll be pretty much done.

ConfigServer firewall also does this stuff, except for central logging.

OSSEC is open source, so if there isn't an API you like, you could focus your efforts on that and contribute something to that larger community.

I looked at the current options:

Fail2ban doesn't allow us to use All log data, both local and remote, for our ban lists on the gateway servers. Also it makes no sense to run fail2ban on the cluster machines because the user will not always hit the same machine.

I know its may sound similar to ossec, but I need something simple and light weight with minimal conf. Also it just has to work without having to learn another framework. lastly ossec is an ids, funyun just uses log data to block users. Ossec has been around for awhile, but again funyun is about our needs and hopefully it will help others.

I won't mention denyhosts as I think its already covered enough.

Were not reinventing the wheel so much as making something to meet our needs that may also help the community. There are other features we have slated that help combat spam, but in the end our main goal is use all log data from all clusters to secure the network.

Greg

Heres whats done:
* daemon

  • uses multiple logs from multiple servers

  • snort,mode_security, and sshd support

  • distributed log management (prunes logs after saving to sync server)

  • reactive bans (the more you attack the longer the ban, config controlled)

  • auto whitelisting (all ips on your server are whitelisted)

  • ban expirations (like fail2ban)

  • per key whitelisting (if a part of your network is blocked, it will only be blocked for others, not you)

  • currently only supports iptables

  • low memory footprint (my main focus is keeping this extremely light weight)

  • catches more sshd threats than fail2ban did

Here's whats pending:
* additional threat discovery sources using passive services (honeypot, stop forum spam, emerging threats)

  • whois lookup and provider notifacation

  • public sync server so the SU's can test it out.

  • some formula / method to allow public attack data submission.

  • benchmarks

  • documentation

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct