"Not a Pentest" Trust-Anker: IDS dient der defensiven Erkennung von Angriffen auf eigene Systeme. Keine Angriffswerkzeuge.
OpenClaw Intrusion Detection Setup
Früherkennung von Angriffen auf OpenClaw — OSSEC für Log-Analyse, Fail2ban für automatisches IP-Blocking und Suricata für Netzwerk-IDS.
🔐 Fail2ban Konfiguration
# /etc/fail2ban/jail.local — OpenClaw Konfiguration
[DEFAULT]
bantime = 3600 # 1 Stunde
findtime = 600 # 10 Minuten Fenster
maxretry = 5 # Max Fehlversuche
backend = systemd
# SSH Brute Force
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400 # 24h bei SSH
# OpenClaw API Auth Failures
[openclaw-auth]
enabled = true
port = http,https
filter = openclaw-auth
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 60
bantime = 3600
# nginx Rapid Request (DDoS)
[nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 10
bantime = 600
# /etc/fail2ban/filter.d/openclaw-auth.conf
[Definition]
failregex = ^<HOST> .* POST /api/auth/activate HTTP.* 401
^<HOST> .* POST /api/auth/login HTTP.* 401📊 IDS Alert Levels
Level 15 (Critical)
Rootkit oder System Compromise
Sofort-Alert + Auto-Block
Level 12 (High)
Privilege Escalation Versuch
Alert Security Team
Level 8 (Medium)
Wiederholte Auth-Fehler
Fail2ban Block + Log
Level 5 (Low)
Einzelne fehlgeschlagene Logins
Log + Statistik