|> Harry Enke wrote: ... |> Is this in error? |> "Fail2ban scans log files like /var/log/pwdfail or |> /var/log/apache/error_log and bans IP that makes too many password |> failures. It updates firewall rules to reject the IP address." |> |> Examining logs after the event does not provide real-time protection.
I haven't looked at this tool, but sshblack scans the logs *as they are written* to monitor for likely attackers and updates the rules as the attacks begin. You can set the threshold in terms of number of tries over some period of time that triggers a rule to block an apparent attacker. You can be aggressive or easy-going as you like. The result is that a brute force attack must be so ponderously slow as to be useless unless they just get ridiculously lucky or you used a ridiculously simple to guess password. I'd think this is what they mean. It's real time monitoring with real time blocking.