On 08/07/15 23:52, Jeremy Visser wrote:
On 08/07/15 13:07, Daniel Jitnah wrote:
I am seeing new ips being banned pretty much every 10-15 mins on this server. Is this a lot or normal? Given that other servers may not see one for days.
It all depends on the particular server, and how visible you are.
That is something that crossed my mind as to why this particular server sees so much more fail2ban activity. This particular server happens to live in a particular datacenter in Australia. I was wondering whether that datacenter (IP range) was being particularly targeted compared to the other servers all of which are located elsewhere. Could that be a possible explanation? Cheers, Daniel.
At work I maintain an ISP mail system for a 15-year-old domain and years worth of history of mailboxes being cracked due to insecure passwords.
The mail system sees dozens of requests per second, most of which are from legit customers, but every few seconds random IPs attempt to guess passwords to accounts.
There's absolutely nothing I can do do prevent that apart from enforcing strict password policies.
Of course I run fail2ban, but that doesn't stop botnet operators who are able to crack a username's password from hundreds of IPs at a time.
Furthermore, if I were to ban usernames based on the number of IPs trying to guess the password, that would leave the system vulnerable to denial-of-service and customers being randomly blocked -- not acceptable!
On the other hand, my personal mail server, which actually has a longer-lived IP address than my work mail servers, sees far fewer attempts. I believe this is largely due to no prior history of being cracked, and therefore not making it into any database of "crackable targets".
Given all that, actually I don't bother with fail2ban for SSH. Instead, I exclusively use SSH keys and set "PasswordAuthentication no" in sshd_config. It's not difficult. _______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main