[Leaplist] fail2ban

Kevin Korb kmk at sanitarium.net
Mon Mar 8 20:54:26 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you only allow access via keys then you can even disable password
authentication completely.  Most of the bots give up when they get
disconnected as soon as they connect.

I have mine setup that way though I also allow s/key authentication just
in case.  But the s/key only prompts for an otp if you try the one user
name that I set it up on.

At FQ we use something similar to fail2ban that we wrote in house.  I
will not claim that it is better than fail2ban as I haven't tried it but
we had ours in place before fail2ban existed and works well enough that
we haven't bothered to look at more modern alternatives.

At home I have pf set to temporarily firewall off any IP that makes too
many connections too quickly.  Though with the password authentication
disabled that is pretty uncommon (somewhere between 10 and 15 IPs per week).

On 03/08/10 20:45, Jason Boxman wrote:
> On 3/8/2010 6:53 PM, Phil Barnett wrote:
>> I was looking for a solution to automatically firewall password guessing
>> attacks to ssh my server and came across this interesting solution.
> 
> The risk is a crafty attacker successfully bans you, should you be
> accessing the host primarily remotely.
> 
> Instead, I use OpenSSH AllowUsers and only allow access via keys.
> 
> 

- -- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuVqlIACgkQVKC1jlbQAQfDngCggYe19B6wRCyz0fqnyHApUhzB
XfEAoJN8orUgEzTF19JqoHS2FhzvawSJ
=vA4M
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list