Re: [Denyhosts-user] Parse multiple Logs (http?)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Phil Schwartz wrote:

> Also, Apache must be restarted AFAIK in order to block an attacker  
> using it's internal ALLOW/DENY rules.  Of course, you could block it  
> at the kernel level w/ iptables if you wanted.

That's what fail2ban does by default: it creates firewall rules.

Nils Breunese.

> On Tue, 28 Oct 2008, René Berber wrote:
>
>> Terry Carmen wrote:
>>
>>> Does anybody know if denyhosts can parse multiple logs?
>>
>> No, it can't...
>>
>> I recommend using fail2ban, it can scan multiple logs and it  
>> already has
>> regexes for Apache.
>>
>>> It's doing a great job with failed ssh logins, but I'l like to  
>>> have it
>>> handle failed apache logins as well:
>>>
>>> /etc/httpd/logs/error_log:
>>>
>>> [Tue Oct 28 14:42:37 2008] [error] [client xx.xx.xxx.xxx] user  
>>> sdfasdfa
>>> not found: /
>>>
>>> It would be easy enough to point it to the log with a custom  
>>> regex, but
>>> then I assume it would then ignore /var/log/secure
>>>
>>> Any thoughts?
>>
>> An option with other services that use syslog is to just merge/copy  
>> the
>> messages to one log, but Apache is different, doesn't use syslog, has
>> its own log format (which can be customized).  I don't watch Apache's
>> log so I don't have first hand experience.
>>
>
> -- 
> Regards,
>
> Phil Schwartz
> - http://www.phil-schwartz.com
>
> Open Source Projects:
> - DenyHosts: http://www.denyhosts.net
> - Kodos: http://kodos.sourceforge.net
> - ReleaseForge: http://releaseforge.sourceforge.net
> - Scratchy: http://scratchy.sourceforge.net
> - FAQtor: http://faqtor.sourceforge.net