[sf-lug] reasons for running/not running fail2ban

[Asheesh Laroia]

On Mon, 11 Feb 2008, Alex Kleider wrote:

> Saturday evening I had an opportunity to discuss fail2ban and Rick gave
> me his views on why he did NOT like to run it.
> Rick, I hope I am not miss quoting you but here's my understanding:
> 1. the chance that an attacker might by this method actually guess a
> correct name and password pair is minute     and

Yes, that's true so long as you don't have "joe" accounts, as Rick pointed 
out - accounts whose usernames are the same as their passwords.  Note that 
in Debian at least, passwd won't let users set absolutely terrible 
passwords (I think due to integration with cracklib), so you don't have to 
trust your users - which is nice!

> 2. you don't like the idea of a program having input into your iptables.

I know Rick clarified his position on this, but I wanted to chime in on 
point 2: That's why I would prefer to use hosts.deny and hosts.allow, 
which have very simple syntax.  fail2ban can be configured to use those 
instead.

> I was discussing this with a friend and his comment was that it isn't 
> against repeated password attempts that we are trying to protect 
> ourselves; it's against denial of service. My understanding is that it's 
> against someone who is not actually expecting to log on, but against 
> someone that just is trying to overwhelm your resources.

There's that.  There's also the annoyance of having to read all those 
failures in your log reports.  Admittedly you could use a better log file 
summary tool, but you could instead just install fail2ban like I and so 
many others do. (-:

-- Asheesh.

--
For external use only.