Hacker News new | past | comments | ask | show | jobs | submit login

I use fail2ban because I take break in attempts personally, especially when it's some script trying default logins one after another. It's insulting.



You have that exactly backwards: if someone is hitting you with a password bruteforce from a single IP address (which is the only threat that fail2ban mitigates) then it is assuredly nothing personal at all.

A personal insult, if you are ever unfortunate enough to receive one, will be much more stealthy and neither fail2ban nor any other magical rock will protect you against it.


You don't see any tigers around, do you?


Usually they use a big pool of IP addresses, but that doesn't make fail2ban completely useless since they do reuse IPs.


> It's insulting

Brute force / credential stuffing attacks against ssh are the mosquitos of the Internet.

Ubiquitous, annoying, and persistent. But nothing personal.


I also take mosquitoes personally, so maybe it's a larger character flaw on my part.


If anything, you're doing them a (miniscule) favor by keeping them from wasting more resources on failed login attempts. If you really hated them, you'd set up a honeypot.


More fun: setup a fail2ban actionban script that instead of banning the IP, shapes the traffic coming from it to have abysmal bandwidth so requests/responses takes really long time, so they'll have to timeout instead of getting failures.


This is known as tarpitting, and apparently iptables can do it: https://en.wikipedia.org/wiki/Tarpit_%28networking%29


Neat, didn't know that! Think before I've used Traffic Control (tc) for it, but iptables would be simpler.

Available in `xtables-addons` it seems. After install:

    iptables -A INPUT -p tcp -s $SOURCE_IP -j TARPIT # add IP to tarpit
    iptables -D INPUT -p tcp -s $SOURCE_IP -j TARPIT # remove IP from tarpit


This is hilarious


Restrict your SSH login to a single user, then su to your admin


I know how to lock machines down. That's not why I bugs me.


Apologies, I guess I just wanted my two cents in and didn't see anyone writing it


No, it's solid advice. Thanks for looking out for others.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: