[GLLUG] Maybe OT - Fail2ban and what triggers it
Mike Brodbelt
mike at coruscant.org.uk
Mon Mar 18 23:48:33 UTC 2013
On 18/03/13 23:02, damion.yates at gmail.com wrote:
> The fact that logs show zero attempts to access is important.
Agreed - that's why I use fail2ban, but it's about removing noise from
the logs, rather than (directly) improving security. Having cleaner logs
of course improves security indirectly.
> There have been exploits in the ssh daemon itself permitting access via
> cleverly crafted code able to connect to said host.
I don't believe there have been any known, exploitable remote pre-auth
vulnerabilities in OpenSSH for protocol version 2 to date, unless you've
had some very odd configurations. There's a detailed history for OpenSSH
at http://openssh.org/security.html, which makes for entertaining
reading, but while this is certainly a feasible attack path, but I'm not
losing sleep over it.
> I would recommend that complex port knocking and firewall rules
> permitting only certain networks, is extremely sensible on top of
> improved authentication.
My view on that is that the extra hoops it places in front of authorised
access are more problematic than the security it gains you, which I
think is more psychological than actual. Of course security is all about
trade-offs, so put your marker in the sand where you choose - my point
is simply that I feel that the benefits of these setups aren't worth the
complexity they add. YMMV.
Mike
More information about the GLLUG
mailing list