I was looking at the fail2ban project and had an idea that instead of
parsing log files it could be possible to notify interested parties
(like fail2ban) via (for instance) D-bus about a failed login attempt.
Other application could also use this protocol to notify about suspect
behaviors. A central functionality will allow for other (new) projects
to integrate without much effort.
What do you think?
Apart from the current trend of minimizing attach surface,
this would need some kind of queue in case the analyzer
was stopped, temporarily busy, or whatever.
I guess that should use stable storage instead of RAM
(to not go OOM just because of external events) -
and now we're at the current solution already,
with sshd logging to disk and fail2ban reading these files.
Sure, we might be able to ease parsing by dropping JSON
instead of text files -- but that would be _additional_ IO,
and the "problem" of parsing is already solved,
so it doesn't seem to be any real improvement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
