[syslog-ng] Firewalling with syslog-ng, a working prototype

[Balazs Scheidler]

Hi,

It's such a great idea, that I posted on my blog about it.  Thanks for
both the idea and the implementation.

And of course your possible pattern additions are more than welcome.

On Sun, 2011-02-20 at 23:06 +0100, Valentijn Sessink wrote:
> Hi list,
> 
> For a week or so, I'm gathering the building blocks for a sort of 
> low-tech intrusion detection/prevention system.
> 
> My "itch": having a system that acts "real time" on the log messages 
> that various daemons produce; having it low profile; easy to get it to 
> act (i.e. no scripts that call scripts that call other scripts). For 
> example, if sshd says "invalid user", I'd like the firewall to act on 
> this, with as little steps in between as possible. Luckily, syslog-ng is 
> able to find patterns all by itself, so I'm able to "skip the middle 
> man", i.e. I can use syslog-ng directly on the firewalling rules. And 
> what is better: I'm not even using the program() call!
> 
> I'm currently running such a system in pre-production and I'm delighted. 
> It's really easy to build. It works like a charm. Here's how:

-- 
Bazsi