Andrew Libby on 23 Mar 2009 05:56:21 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fail2ban (was: Re: 'logcheck')

Douglas Muth wrote:
> Speaking of "must have" packages for servers, I'm a big fan of fail2ban, myself:
> fail2ban - bans IPs that cause multiple authentication errors
> By default, installing fail2ban via apt-get will also include a
> configuration that drops traffic from a remote host after 6 failed SSH
> attempts.  This was a godsend when some host from China kept trying to
> log into one of my machines every 10 seconds.  The installation
> process started the daemon, and 6 login attempts later, all traffic
> from that host was dropped via iptables.

Can anyone speak to denyhosts, and how fail2ban and
denyhosts stack up to each other?

Anecdotally, Don't become complacent when using tools like
these.  Strong passwords and otherwise appropropriate
firewalling is important.  Last year there wast at least one
discussion on the list here about distributed password
attacks.  Secure versus insecure passwords can require
orders of magnitude difference in the number of attempts
before a cracked password.  The difference between six
and even a single request using fail2ban or denyhosts
is not even a single order of magnitude.  It's a
mere factor of six.   To be safest use several

o Don't permit root logins

o Only allow a select subset of users to loging via
  public services.  Exclude system users or other
  users that don't need interactive logins.

o If possible, disallow password authentication
  all together.

o And use tools like fail2ban or denyhosts as well
  as good firewall policy.

Sorry if I sound preachy.  I got complacent recently and got

Best luck to all!


Tangeis, LLC
Andrew Libby

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --