From The Hacker News

  • StarDreamer
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    1 year ago

    Sounds like a job for crowdsec. Basically fail2ban on steroids. They already have a ban scenario for attempts to exploit web application CVEs. While the default ssh scenario does not ban specific usernames, I’m pretty sure writing a custom one would be trivial (writing a custom parser+scenario for ghost cvs from no knowledge to fully deployed took me just one afternoon)

    Another thing I like about crowdsec is the crowd sourced ban IPs. It’s super nice you can preemptively ban IPs that are port-scanning/probing other people’s servers.

    It’s also MIT licensed and uses less ram than fail2ban.

    • Shdwdrgn@mander.xyz
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Hmm I keep hearing about it but haven’t looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time… I assume crowdsec has something similar for local sharing so I don’t have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?

      • StarDreamer
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.