[GLLUG] Maybe OT - Fail2ban and what triggers it

Mike Brodbelt mike at coruscant.org.uk
Mon Mar 18 23:48:33 UTC 2013

On 18/03/13 23:02, damion.yates at gmail.com wrote:

> The fact that logs show zero attempts to access is important.

Agreed - that's why I use fail2ban, but it's about removing noise from 
the logs, rather than (directly) improving security. Having cleaner logs 
of course improves security indirectly.

> There have been exploits in the ssh daemon itself permitting access via
> cleverly crafted code able to connect to said host.

I don't believe there have been any known, exploitable remote pre-auth 
vulnerabilities in OpenSSH for protocol version 2 to date, unless you've 
had some very odd configurations. There's a detailed history for OpenSSH 
at http://openssh.org/security.html, which makes for entertaining 
reading, but while this is certainly a feasible attack path, but I'm not 
losing sleep over it.

> I would recommend that complex port knocking and firewall rules
> permitting only certain networks, is extremely sensible on top of
> improved authentication.

My view on that is that the extra hoops it places in front of authorised 
access are more problematic than the security it gains you, which I 
think is more psychological than actual. Of course security is all about 
trade-offs, so put your marker in the sand where you choose - my point 
is simply that I feel that the benefits of these setups aren't worth the 
complexity they add. YMMV.


More information about the GLLUG mailing list