logoalt Hacker News

m3047today at 5:27 PM1 replyview on HN

"Many sysadmins know about fail2ban..." and many will now know about reaction. But why will the result be any different than fail2ban? It won't.

I identify features (which can be expressed as firewall rules) from log data; I write totals to a temporary store (Redis). I have periodic tasks which scan the temp store for patterns which exceed thresholds. When that occurs, fail2ban creates the appropriate rules. This occurs in depth and in concentric rings.

Et tu?


Replies

thomzanetoday at 6:01 PM

The difference between fail2ban and reaction is performance. If you are not hitting the ceiling of fail2ban, then you may not need reaction.

Do you have a blog post about your automated fail2ban rule generation?