bergman on 22 Mar 2009 17:19:33 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fail2ban (was: Re: 'logcheck')

In the message dated: Sun, 22 Mar 2009 19:20:46 EDT,
The pithy ruminations from Douglas Muth on 
<[PLUG] Fail2ban (was: Re: 'logcheck')> were:
=> On Sun, Mar 22, 2009 at 4:17 PM, JP Vossen <> wrote:
=> > I have said this before but I am a huge fan of the Debian/Ubuntu
=> > implementation of logcheck. =A0I am also not aware of any other major
=> > distro that makes using logcheck so "built-in" and easy.
=> >
=> > If you run any kind of Debian/Ubuntu server, you really need to be using
=> > this. =A0As soon as something bad or new happens, you get an email. =A0It=
=> 's
=> > like magic.
=> Speaking of "must have" packages for servers, I'm a big fan of fail2ban, my=
=> self:
=> fail2ban - bans IPs that cause multiple authentication errors


=> By default, installing fail2ban via apt-get will also include a
=> configuration that drops traffic from a remote host after 6 failed SSH
=> attempts.  This was a godsend when some host from China kept trying to
=> log into one of my machines every 10 seconds.  The installation

Ha! Less than 3 minutes before reading your post, I was examining the fail2ban 
report mail about unsuccessful login attempts...from over 25 different Chinese 
hosts today.

=> process started the daemon, and 6 login attempts later, all traffic
=> from that host was dropped via iptables.

Six login attempts? You're very generous. I ban hosts after 3 attempts. I 
also changed the banned period from the default to one hour.


=> -- Doug
=> ___________________________________________________________________________
=> Philadelphia Linux Users Group         --
=> Announcements -
=> General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --