Anton Lindstrom (about, @twitter, @github)

mc-auth Auth.log Scanner for MCollective

Published:

I have tried to make my own MCollective plugin and decided to make a plugin that checks all the nodes auth.log for authentication failures. Instead of using Fail2ban, I wanted to have more control and see which IPs that are brute forcing my servers and to see how many attempts they are trying against them.

The writing of an agent was fairly easy but there were some bumps. I do not really know how to send multiple values as a hash in MCollective. I instead used a join method and then in the client a split method. It works but I do not know if that is the best method.

mc-auth sample output

The later plan is to integrate my mc-auth plugin with the mc-iptables plugin to block the failed authentications over some sort of threshold value to be able to keep it even better. Some sort of YAML export function in mc-auth would be nice as well.