On 04/13/2013 12:10 PM, Andy Bradford wrote: > Thus said Corey Edwards on Fri, 12 Apr 2013 10:08:06 -0600: > >> The primary advantage fail2ban would have over your iptables filters >> is being able to differentiate successful and failed logins. > > If one can't be bothered to use SSH keys, or get one's password right in > 10 times per minute (assuming I interpret the iptables rules correctly), > one deserves to be blocked. ;-)
The scenario I'm describing is a bunch of successful logins in very quick sequence. 10 logins per minute is a lot, but I could imagine some times where it might happen. To get that rate, you'd almost have to be using keys (doesn't everybody?). In that situation, fail2ban could safely ignore those connections but iptables would incorrectly detect it as an attack. Corey /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
