Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not sure if it’s sad or hilarious that people recommend fail2ban as a solution to log spam (or as a solution to anything really)

Do you really think making firewalling decisions based on unstructured attacker-controlled log data is a good idea?



You control what fail2ban does with said log data and what actually gets logged. There are better ways than fail2ban of course but it's not the worst solution on the planet.


If you're using regex to parse attacker controlled files I'm not entirely sure if you're in control.

Many unexpected things can happen, as a simple example SSH can generate log entries like this

  Jan 30 17:37:04 server sshd[26695]: Invalid user root from 127.0.0.1 from 10.0.0.1
The default rules can deal with this specific example, but this is certainly a path I wouldn't want to go down myself.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: