Suricata as fail2ban replacement

Started by ruggerio, September 04, 2018, 12:12:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2018, 12:12:39 PM
Hi,

Fail2ban is tool, which detects e.g. bruteforce attacks to ssh, mailservers or equal.

My question is, if exist rulesets for suricata, which could also block ip's according to the attach pattern (e.g. 5 logins from the same source within 5 minutes or so...it would not be able to differ between successful or unsuccessful)

Thanks,
Roger
September 17, 2018, 12:45:48 AM #1
Hello Ruggerio,

I think that will be done better with some HostIPS like OSSEC, for the bruteforce purpose.

Cheers!
Cloudfence Open Source Team
September 18, 2018, 08:52:46 AM #2
Yes, you are right, but it would be nice to have it centralized.

If it is not possible with Suricata, why not thinking about:

- Having a syslog-server on the opnsense-machine
- sending log-entries to opnsense
- opnsense having kind of fail2ban running and checking for the logs, blocking the offending ip's generally

instead of having each machine having its own IPS.

September 18, 2018, 12:32:56 PM #3
Seems to be a nice solution!

OSSEC have a agentless deployment too, and the advantage of it, in my point o view, is it can do more things like Filesystem Integrity Monitor, a lot of rulesets for log monitoring, etc.

Cloudfence Open Source Team
September 30, 2018, 11:21:21 PM #4
i've been looking for this for long time.
is this OSSEC already availble in the packages ?
DEC4240 – OPNsense Owner
October 03, 2018, 01:12:34 PM #5 Last Edit: October 03, 2018, 01:20:44 PM by ruggerio
I don't think so. I will make a request on github, lets wait on the opinion of the devs.

I will link the request to this thread.

on github: https://github.com/opnsense/plugins/issues/887
Print
Go Up Pages1
User actions