[GLLUG] Maybe OT - Fail2ban and what triggers it

James Courtier-Dutton james.dutton at gmail.com
Mon Mar 18 09:47:25 UTC 2013


On 18 March 2013 07:39, Ken Smith <kens at kensnet.org> wrote:
> Hi All,
>
> I have a hosted CentOS VM I use for various things. I'd noticed failed SSH
> login's quite some time ago and had installed Fail2ban to thwart these. It
> works really well.
>

I protect from these by configuring the ssh server to only accept
public/private key logins, and reject password based ones.
So, you can be pretty sure none of the un-authorised attempts will work.

Another option is to use pre-auth.
This pre-auth can be done in many different ways.
1) knocking on a specific combination of ports, in a specific order
before hitting ssh port.
2) Sending a single specially encrypted packet and use that to open
the ssh port to that specific host, if the authentication of that
single packet passes. This method should not respond to the host
sending the encrypted packet, resulting in a response of "no ports
open" to any remote nmap scan on your server.
Disadvantage is that you then have to implement the pre-auth on all
authorised clients.




More information about the GLLUG mailing list