mirror of https://github.com/jrbrtsn/ban2fail
Edits
This commit is contained in:
parent
acb34fa782
commit
7106b6e653
32
README.md
32
README.md
|
@ -4,15 +4,39 @@
|
||||||
|
|
||||||
**ban2fail** is a simple and efficient tool to coordinate log file scanning,
|
**ban2fail** is a simple and efficient tool to coordinate log file scanning,
|
||||||
reporting, and iptables filtering. As the name implies, *ban2fail* was
|
reporting, and iptables filtering. As the name implies, *ban2fail* was
|
||||||
inspired by the popular *fail2ban* project (http://fail2ban.org).
|
inspired by the popular *fail2ban* project (http://fail2ban.org). The main
|
||||||
|
technical advantages *ban2fail* provides over *fail2ban* are:
|
||||||
|
|
||||||
|
+ All relevant logfiles on disk are scanned, not just "current" logfiles.
|
||||||
|
|
||||||
|
+ A unique and transparent caching scheme is employed to make this process at
|
||||||
|
least 100x as fast as doing the same thing with, say, *grep*.
|
||||||
|
|
||||||
|
+ Instantaneously and conveniently produces on command all offending logfile
|
||||||
|
entries for any given address which exist somewhere in the logfile history.
|
||||||
|
|
||||||
|
+ Easily handles hundreds of thousands of blocked IP addresses.
|
||||||
|
|
||||||
|
+ Directly calls iptables, and handles filtering rules in batches of 100 per
|
||||||
|
call.
|
||||||
|
|
||||||
|
+ Provides integrated reporting with reverse and forward DNS information.
|
||||||
|
|
||||||
|
+ DNS lookups are performed in parallel with 200 simulataneous lookups.
|
||||||
|
|
||||||
|
+ Written in pure C, with less than 15,000 lines of source code.
|
||||||
|
|
||||||
|
+ Efficient enough to run every 0.4 seconds without saturating a CPU core on a
|
||||||
|
modest server.
|
||||||
|
|
||||||
|
|
||||||
*ban2fail* started with a few hours of frenzied C hacking after my mail server
|
*ban2fail* started with a few hours of frenzied C hacking after my mail server
|
||||||
was exploited to deliver spam for others who had cracked a user's SMTP send
|
was exploited to deliver spam for others who had cracked a user's SMTP send
|
||||||
password. After inspecting the log files I realized that crackers are now using
|
password. After inspecting the log files I realized that crackers are now using
|
||||||
widely distributed attacks, and that I would need an extremely efficient tool
|
widely distributed attacks, and that I would need an extremely efficient tool
|
||||||
that could run in a fraction of a second on my rather modest Linode virtual
|
that could scan my entire log file history in a fraction of a second on my
|
||||||
server to have a chance of stopping them. Here are the timing results for a
|
rather modest Linode virtual server to have a chance of stopping them. Here are
|
||||||
typical scan on my server:
|
the timing results for a typical scan on my server:
|
||||||
|
|
||||||
```
|
```
|
||||||
real 0m0.325s
|
real 0m0.325s
|
||||||
|
|
Loading…
Reference in New Issue