[GLLUG] Maybe OT - Fail2ban and what triggers it

[Mike Brodbelt]

On 18/03/13 13:08, Imran Chaudhry wrote:
> Interesting analysis there.
>
> The source country reminded me of recent news articles about "Unit
> 61398" [0] and military-sponsored attacks.
>
> You've been given good advice on how to secure SSH. I use fail2ban too
> in tandem with denyhosts [1]. Be warned that you must configure it
> carefully or else could find yourself "locked out"!

I've never been convinced by most of the "advice" on securing SSH. Port 
alterations and similar pre-auth shenanigans don't add a great deal of 
actual security, they just remove rubbish from the logs which makes 
people feel better.

To put some numbers behind is, there are 65535 ports available, so 
moving ssh to an alternate port adds at most 16 bits of entropy to the 
situation. In reality, many of those ports are already used and are 
unlikely to be selected as alternates, so it's less than that. Port 
knocking is just an extension of the same, that adds multiples of the 
(probably not very good) 16 bits.

If there is a problem with SSH security, it's that passwords chosen by 
users are typically poor, and involve far less entropy than you would 
want. If you want to secure SSH better, remove password auth from the 
chain, and use a 2048 bit DSA key - this offers far more security than 
meddling with port numbers. By all means use fail2ban or similar, but 
recognise that it's primary utility it to remove log spam.

If you have to leave passwords enabled, then go two factor. Google 
Authenticator has a PAM module, and there are client apps for all the 
common mobile platforms. That uses TOTP, which has a real 
cryptographically tested basis.

Mike