Suricata as fail2ban replacement

[ruggerio]

Hi,

Fail2ban is tool, which detects e.g. bruteforce attacks to ssh, mailservers or equal.

My question is, if exist rulesets for suricata, which could also block ip's according to the attach pattern (e.g. 5 logins from the same source within 5 minutes or so...it would not be able to differ between successful or unsuccessful)

Thanks,
Roger

[juliocbc]

Hello Ruggerio,

I think that will be done better with some HostIPS like OSSEC, for the bruteforce purpose.

Cheers!

[ruggerio]

Yes, you are right, but it would be nice to have it centralized.

If it is not possible with Suricata, why not thinking about:

- Having a syslog-server on the opnsense-machine
- sending log-entries to opnsense
- opnsense having kind of fail2ban running and checking for the logs, blocking the offending ip's generally

instead of having each machine having its own IPS.

[juliocbc]

Seems to be a nice solution!

OSSEC have a agentless deployment too, and the advantage of it, in my point o view, is it can do more things like Filesystem Integrity Monitor, a lot of rulesets for log monitoring, etc.

[Julien]

i've been looking for this for long time.
is this OSSEC already availble in the packages ?

[ruggerio]

I don't think so. I will make a request on github, lets wait on the opinion of the devs.

I will link the request to this thread.

on github: https://github.com/opnsense/plugins/issues/887