| Ronald Guilmet on 28 Aug 2018 12:14:53 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Ron On 8/28/2018 2:53 PM, Rich Freeman wrote:
On Tue, Aug 28, 2018 at 2:29 PM Ronald Guilmet <ronpguilmet@gmail.com> wrote:Maybe I'm missing something. My servers were always locked down. SSH access was from a specific IP, and the only way is was with keys. With that setup, why would I care what someone is throwing at the machine? Does it cause a performance issue that I'm not aware of?So, I don't do the fail2ban thing, but the arguments in favor of it are: 1. Yes, it does have some impact on performance. Granted, not a whole lot if you're just talking about the few odd connections per minute. 2. Maybe at some point an openssh zero day comes out, and it takes more than a few connection attempts to exploit it. Fail2ban could save your bacon. While I also don't advocate for blocking all of China/etc, I do have to admit that this could help protect you from zero days that require a single attempt to work (though in that scenario you'd probably have so many compromised machines out there I'm skeptical that you could blacklist all of them - very selective whitelisting would work though). But, as long as openssh is working as advertised, then if it only allows key-based login there is no harm in giving an intruder an unlimited number of attempts at it. The problem comes in when it doesn't work as advertised.
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug