From: Nils B. (Lemonbit) <ni...@le...> - 2008-10-28 22:19:50
|
Phil Schwartz wrote: > Also, Apache must be restarted AFAIK in order to block an attacker > using it's internal ALLOW/DENY rules. Of course, you could block it > at the kernel level w/ iptables if you wanted. That's what fail2ban does by default: it creates firewall rules. Nils Breunese. > On Tue, 28 Oct 2008, René Berber wrote: > >> Terry Carmen wrote: >> >>> Does anybody know if denyhosts can parse multiple logs? >> >> No, it can't... >> >> I recommend using fail2ban, it can scan multiple logs and it >> already has >> regexes for Apache. >> >>> It's doing a great job with failed ssh logins, but I'l like to >>> have it >>> handle failed apache logins as well: >>> >>> /etc/httpd/logs/error_log: >>> >>> [Tue Oct 28 14:42:37 2008] [error] [client xx.xx.xxx.xxx] user >>> sdfasdfa >>> not found: / >>> >>> It would be easy enough to point it to the log with a custom >>> regex, but >>> then I assume it would then ignore /var/log/secure >>> >>> Any thoughts? >> >> An option with other services that use syslog is to just merge/copy >> the >> messages to one log, but Apache is different, doesn't use syslog, has >> its own log format (which can be customized). I don't watch Apache's >> log so I don't have first hand experience. >> > > -- > Regards, > > Phil Schwartz > - http://www.phil-schwartz.com > > Open Source Projects: > - DenyHosts: http://www.denyhosts.net > - Kodos: http://kodos.sourceforge.net > - ReleaseForge: http://releaseforge.sourceforge.net > - Scratchy: http://scratchy.sourceforge.net > - FAQtor: http://faqtor.sourceforge.net |