On 01/06/11 16:13, Allen David Niven wrote:
> what does ossec give u that fail2ban does not ?
> thx and cheers
Replied to list so others can find this in the future if they want to.
I haven’t spent a lot of time investigating fail2ban as I was already
using ossec before I saw much talk about fail2ban with Asterisk.
Anyway as far as I can see my main advantage is that OSSEC has multiple
levels of incidents. So I can create rules to send emails out for
unusual activity that might not necessarily require an IP block but
needs checking out.
My fear with something that just watches Asterisk logs for a very
specific known attack metric and then blocks IP(s) based on that is what
happens when the attackers start doing something different?
Fail2ban may well do all this as well, I don’t know but I find OSSEC
does it very well and the XML rules and log decoders are very versatile.