On Thu, Dec 08, 2016 at 01:18:38AM +0300, Reco wrote:
On Wed, 7 Dec 2016 15:54:46 -0500
Henning Follmann <hfollm...@itcfollmann.com> wrote:
On Wed, Dec 07, 2016 at 11:28:53PM +0300, Reco wrote:
> Hi.
>
> On Wed, 7 Dec 2016 21:14:51 +0200
> Antti Talsta <atal...@nothingtosee.org> wrote:
>
> > On Wed, Dec 07, 2016 at 01:49:34PM -0500, Greg Wooledge wrote:
> >
> > > Changing the port at least decreases the number of brute force attacks
> > > against you, which saves resources (bandwidth, CPU) that are otherwise
> > > wasted by the attackers.
> >
> > How about fail2ban for that?
>
> How fail2ban can help against an army of bots trying one single
> password per bot?
>
That actually works well. Usually it's multiple attempts from one ip.
fail2ban catches exactly that. And then blacklists that ip.
Probably it is so. It's been awhile since I ran publicly accessible
sshd on port 22 with password authentication enabled.
Personally I prefer a bunch of simple iptables rules to fail2ban
though. After all, why bother running a userspace tool, if you can
force the kernel itself to do the job?
Could you share with the group what "simple iptables rules" you use? I
presume that iptables, by itself, can't replicate the idea of "block
after X failures in Y minutes", but presumably you're using some kind of
rate limiting, instead?
Reco
--
For more information, please reread.