You don't need to do this in libzmq; it can be completely hidden in the ZAP handler.
On Fri, Oct 4, 2013 at 10:16 AM, Laurent Alebarde <[email protected]> wrote: > When ZAP is used, libzmq gain information on possible ennemies. It may be > interesting to manage a EACCESS trigger counter per IP, in order to be able > to feed a fail2ban like list. > > Rationals : Efforts are made in the code and has been argumented to delay > the costly operations in the curve protocol, to avoid some types of attacks. > So, it makes sense to delegate to the firewall via fail2ban the rejection of > ennemies. > > Use case : For example, if an IP raises 3 EACCESS in less than 2 minutes, it > is banned for one hour directly by the firewall. > > This could be implemented via a STL map with the IP has a key, with a value > being a structure containing the counter, the state, a timestamp of the last > trigger, and alongside, a timestamp-ordered STL set of the IP-keys. The > state is true if the counter reaches a parametrisable level (say 3 times). > The number of IP memorized or the duration of the memory SHALL be > parametrisable. > > It should be open to enable other conditions than ZAP EACCESS, for future > mechanisms, so, the API SHOULD be something like : > > if (errno == EACCESS) record_ennemy(); > > in say the curve_server.cpp file. > > In the background, a text file compatible with fail2ban is maintained. > > > > _______________________________________________ > zeromq-dev mailing list > [email protected] > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
