On Apr 13, 2010, at 2:25 PM, Jon Lewis wrote:

> On Tue, 13 Apr 2010, Fred Posner wrote:
> 
>> I didn't want fail2ban as I'm already using blockhosts, which I just love. Since it's a UDP connection without the ability to spawn, I figured if I had to cron something I'd just do it myself. The reason I didn't do the tail was just out of a quickness in writing the script. My log rotate is weekly... so the tail method I didn't think would handle a single probe daily... whereas the quick log read would, taking less than a second on large logs. So it was a "pure laziness" approach of not having to write a counting log or similar.
> 
> I'm not sure there's any reason you couldn't use both blockhosts and fail2ban and just use each for different things.  File::Tail is just a bit of code for perl to keep a [log] file open for reading.  It handles reopening the file for you if the file is rotated.  What your program does with the data gotten via File::Tail is up to it.  Are you really worried about someone trying one auth per day though?  OTOH, can there really be any legitimate SIP access from Amazon EC2?  Why not just use a few iptables rules to block all of EC2's IP space?
> 

Actually there are a few carriers using EC2 as a failover as well as some people just simply running their pbx there. The one a day is for probing attempts... which I have been seeing. I think the long term goal would be to make this a decent tool and help with some of the various voip attacks. In which case it might be instead of tail, using a line counter (starting at where last left off) as well as keeping track of counts within a time period.

---fred
http://qxork.com