Mustafa Cagatayli <[email protected]> wrote: > For keeping an archive of what is happening, a syslog would definitely be > enough. But this is an issue which need immidiate action. And the simplest > solution seems to be an email or SMS masssage. Or else, I'll have to invest > on a syslog server with triggering feature.
The hint Nigel was giving was to use a tool which monitors the log for you. For example, I use fail2ban on most of the machines I manage. It's primary purpose (hence the name) is to ban IP addresses from which you get failed logins and such - so if someone tries brute-force password attempts on accounts on your server, fail2ban will cut off the IP address after several tries. Isn't perfect, but it sure stops them trying thousands and thousands of attempts in a few minutes. Fail2ban is configurable, so you could write a check that looks for the logs when PolicyD is throttling emails and have it perform an action on that - actions can include blocking the IP with an iptables call, emailing someone, or whatever you can write a script for. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
