On 08/07/15 23:52, Jeremy Visser wrote: > On 08/07/15 13:07, Daniel Jitnah wrote: >> I am seeing new ips being banned pretty much every 10-15 mins on this >> server. Is this a lot or normal? Given that other servers may not >> see one for days. > > It all depends on the particular server, and how visible you are. > That is something that crossed my mind as to why this particular server sees so much more fail2ban activity. This particular server happens to live in a particular datacenter in Australia. I was wondering whether that datacenter (IP range) was being particularly targeted compared to the other servers all of which are located elsewhere.
Could that be a possible explanation? Cheers, Daniel. > At work I maintain an ISP mail system for a 15-year-old domain and years > worth of history of mailboxes being cracked due to insecure passwords. > > The mail system sees dozens of requests per second, most of which are from > legit customers, but every few seconds random IPs attempt to guess passwords > to accounts. > > There's absolutely nothing I can do do prevent that apart from enforcing > strict password policies. > > Of course I run fail2ban, but that doesn't stop botnet operators who are able > to crack a username's password from hundreds of IPs at a time. > > Furthermore, if I were to ban usernames based on the number of IPs trying to > guess the password, that would leave the system vulnerable to > denial-of-service and customers being randomly blocked -- not acceptable! > > On the other hand, my personal mail server, which actually has a longer-lived > IP address than my work mail servers, sees far fewer attempts. I believe > this is largely due to no prior history of being cracked, and therefore not > making it into any database of "crackable targets". > > Given all that, actually I don't bother with fail2ban for SSH. Instead, I > exclusively use SSH keys and set "PasswordAuthentication no" in sshd_config. > It's not difficult. > _______________________________________________ > luv-main mailing list > [email protected] > http://lists.luv.asn.au/listinfo/luv-main > _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
