Re: Parsing Syslog and Acting on it, using other input too

[Christopher Morrow <morrowc.lists () gmail com>]

On Fri, Aug 30, 2013 at 8:55 AM, Shawn Wilson <ag4ve.us () gmail com> wrote:
> Christopher Morrow <morrowc.lists () gmail com> wrote:
> > On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder <don.wilder () gmail com>
> > wrote:
> > > I wrote a script in Linux that watches for unauthorized login
> > attempts and
> > > adds the ip address to the blocked list in my firewall. You might
> > want to
> > > search sourceforge for a DYN Firewall and modify it from there.
> >
> > because fail2ban was too hard to install? or because you just wanted
> > to test yourself?
>
> Actually I did the same. I use ipset lists (generally with a timeout) and take a regex or two and black / white list 
> from a YAML file and just take (possibly multiple inputs) from piping tail -F. I also store addresses for future 
> reference (by the script or otherwise).
>
> This is quite maintainable as I can look at a list of people who have attacked the mail server and compare it to web 
> attacks. Each process is a different type of service (different config file) and probably a different ipset. Due to 
> ipset not actually doing anything until I make an iptables rule for it, I can run my script in a test mode (by 
> default) and just see what happens (check it's logs and the ipset list it generates). I haven't found the need for 
> this yet but I can use cymru to look up how big their net is (see geocidr for an example of how to do this in perl) 
> and use a hash:net ipset type and cover a whole net.
>
> Basically what I'm saying in doing it this way is quite expandable and isn't very hard and I can do tons of stuff 
> that fail2ban can't (I don't think - it's been a while since I looked).

you seem to be describing what fail2ban does... that and some grep of
syslog for fail2ban messages. If your solution works then great! :)