|> Harry Enke wrote:
...
|> Is this in error?
|> "Fail2ban scans log files like /var/log/pwdfail or
|> /var/log/apache/error_log and bans IP that makes too many password
|> failures. It updates firewall rules to reject the IP address."
|>
|> Examining logs after the event does not provide real-time protection.
I haven't looked at this tool, but sshblack scans the logs
*as they are written* to monitor for likely attackers and
updates the rules as the attacks begin. You can set the
threshold in terms of number of tries over some period of
time that triggers a rule to block an apparent attacker.
You can be aggressive or easy-going as you like. The result
is that a brute force attack must be so ponderously slow
as to be useless unless they just get ridiculously lucky
or you used a ridiculously simple to guess password.
I'd think this is what they mean. It's real time monitoring
with real time blocking.