is fail2ban safe? Better to use ssh keys?
Solution 1
I judge it as a stable product and I regard it as safe. As an extra precaution I would add your source IP address to the ignoreip directive in the jails.conf to make sure you don't block yourself.
Since it parses the ssh logs a TCP session is going to have to be established so spoofing source IPs and getting the TCP sequences numbers right to create a sort of backscatter variation seems unlikely.
Using keys on top of this as well isn't a bad idea. Other options that help are moving ssh to a nonstandard IP, using the "recent" iptables module, or just deciding you don't care if people try to brute force passwords. See this serverfault post for more on these.
Solution 2
Every time I've ever implemented denyhosts or fail2ban in a production environment it has created a guaranteed ticket-stream of unlock requests, password reset requests, requests to change the settings or manage the whitelist, and generally just people who give up logging in to look into things and lean more on the sysadmins for stuff they could do themselves.
Its not a technical problem with either tool per-se, but if your users number in the dozens or greater its going to be a noticable uptick in support workload and frustrated users.
Also, the problem they solve is they reduce your risk of brute force ssh login attacks. Honestly, the risk of that is incredibly small as long as you have even a moderately decent password policy.
Solution 3
I use since few years and at least is a good protection against script kiddies.
No root logon, plus pretty long and random passwords and fail2ban and maybe different port is for most of us enough secure.
Of course ssh keys are much better as security.
Related videos on Youtube
15 : 46
24 : 23
11 : 52
04 : 48
solsol
Updated on September 17, 2022Comments
-
solsol 3 months
I'm in doubt if I should use key authentication when logging into SSH, or just go for fail2ban + ssh (root login disabled).
Is fail2ban safe or is it really better to just go ahead and generate keys and config that on all my client machines that need to connect to ssh?
-
Philip over 12 yearsThe Fail2Ban directions say not to edit any of the.conffiles and instead to put your configurations in.localfiles. This also makes upgrades much easier, as none of your local files get overwritten. -
Andor over 12 yearsOn the last server I put online, I had 30k failed login request on my logs... just in three days! Even with a good password policy, just for avoiding that big logs and all that noise and risk it's a nice tool. I use denyhosts and do a good tweak of the config files and so... -
Kyle Brandt over 12 yearsChris S: Thanks for that tip... I will attempt to make a mental note :-) -
Philip over 12 yearsI put the threshold at 10 failed logins in 10 minutes (for SSH, IMAP, etc) and have never had an authorized user get locked out. the default settings are a bit tight, and users do hit them now and then; higher limits generally only catch brute-forcing attempts; which I agree are unlikely, but I also agree with Andor that it helps with the log size.
-
Lennert over 12 yearsoh no 10mb of wasted disk space