Rich Freeman on 28 Aug 2018 11:53:19 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...


On Tue, Aug 28, 2018 at 2:29 PM Ronald Guilmet <ronpguilmet@gmail.com> wrote:
>
> Maybe I'm missing something. My servers were always locked down. SSH
> access was from a specific IP, and the only way is was with keys. With
> that setup, why would I care what someone is throwing at the machine?
> Does it cause a performance issue that I'm not aware of?
>

So, I don't do the fail2ban thing, but the arguments in favor of it are:

1.  Yes, it does have some impact on performance.  Granted, not a
whole lot if you're just talking about the few odd connections per
minute.
2.  Maybe at some point an openssh zero day comes out, and it takes
more than a few connection attempts to exploit it.  Fail2ban could
save your bacon.  While I also don't advocate for blocking all of
China/etc, I do have to admit that this could help protect you from
zero days that require a single attempt to work (though in that
scenario you'd probably have so many compromised machines out there
I'm skeptical that you could blacklist all of them - very selective
whitelisting would work though).

But, as long as openssh is working as advertised, then if it only
allows key-based login there is no harm in giving an intruder an
unlimited number of attempts at it.  The problem comes in when it
doesn't work as advertised.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug