On Tue, 13 Apr 2010, Fred Posner wrote:

> I didn't want fail2ban as I'm already using blockhosts, which I just 
> love. Since it's a UDP connection without the ability to spawn, I 
> figured if I had to cron something I'd just do it myself. The reason I 
> didn't do the tail was just out of a quickness in writing the script. My 
> log rotate is weekly... so the tail method I didn't think would handle a 
> single probe daily... whereas the quick log read would, taking less than 
> a second on large logs. So it was a "pure laziness" approach of not 
> having to write a counting log or similar.

I'm not sure there's any reason you couldn't use both blockhosts and 
fail2ban and just use each for different things.  File::Tail is just a bit 
of code for perl to keep a [log] file open for reading.  It handles 
reopening the file for you if the file is rotated.  What your program does 
with the data gotten via File::Tail is up to it.  Are you really 
worried about someone trying one auth per day though?  OTOH, can there 
really be any legitimate SIP access from Amazon EC2?  Why not just use a 
few iptables rules to block all of EC2's IP space?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________