@@ -17,7 +17,7 @@ controlled by hackers, so-called botnets. That means that an IP attacking one se
(http, mail, ssh, ..) can very much attack another server later on, maybe on another protocol.
Hence the idea of sharing bad IPs between servers, and to block the whole IP, not just the attacked port
(as done by lot of other solutions).
(as done by lots of other solutions).
Think of botfreak as fail2ban on steroids with centralized/shared database.
...
...
@@ -45,9 +45,10 @@ Currently botfreak only works on linux servers. It can probably very easily be p
botfreak is implemented in python, the website and APIs are served by Django.
There are currently two kinds of blockers: one based on `iptables` (legacy), and one based on `ipset`, which scales very well. I barely notice anything with half a million entries.
There are currently two kinds of blockers: one based on `iptables` (legacy), and one based on `ipset`, which scales very well. I barely notice anything (ram/cpu) with 1.2 million entries.
There are currently one main class of feeders, called `watchers`: they analyze log files using mostly python `regexes`, using a hierarchy of classes. Examples are provided for web, ssh, postfix, dovecot and bind, complete with [doctests](https://docs.python.org/3/library/doctest.html).
It's very easy to add new ones or tweak existing ones, if you know a little bit of python, that is: just copy the exemple 'bad' log line in doctests, and tweak the class/regex until the test pass again.
There is currently only one main class of feeders, called `watchers`: they analyze log files, mostly using python `regexes` and a hierarchy of classes. Examples are provided for web, ssh, postfix, dovecot and bind, complete with [doctests](https://docs.python.org/3/library/doctest.html).
It's very easy to add new ones or tweak existing ones, if you know a little bit of python, that is: just copy the example 'bad' log line in doctests, and tweak the class/regex until the test passes again.
