[zeromq-dev] What about using ZAP's EACCESS to feed fail2ban ?

Laurent Alebarde l.alebarde at free.fr
Fri Oct 4 10:16:16 CEST 2013

When ZAP is used, libzmq gain information on possible ennemies. It may 
be interesting to manage a EACCESS trigger counter per IP, in order to 
be able to feed a fail2ban like list.

Rationals : Efforts are made in the code and has been argumented to 
delay the costly operations in the curve protocol, to avoid some types 
of attacks. So, it makes sense to delegate to the firewall via fail2ban 
the rejection of ennemies.

Use case : For example, if an IP raises 3 EACCESS in less than 2 
minutes, it is banned for one hour directly by the firewall.

This could be implemented via a STL map with the IP has a key, with a 
value being a structure containing the counter, the state, a timestamp 
of the last trigger, and alongside, a timestamp-ordered STL set of the 
IP-keys. The state is true if the counter reaches a parametrisable level 
(say 3 times). The number of IP memorized or the duration of the memory 
SHALL be parametrisable.

It should be open to enable other conditions than ZAP EACCESS, for 
future mechanisms, so, the API SHOULD be something like :

if (errno == EACCESS) record_ennemy();

in say the curve_server.cpp file.

In the background, a text file compatible with fail2ban is maintained.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131004/d46b7822/attachment.htm>

More information about the zeromq-dev mailing list