[sf-lug] reasons for running/not running fail2ban
asheesh at asheesh.org
Fri Feb 15 16:09:20 PST 2008
On Mon, 11 Feb 2008, Alex Kleider wrote:
> Saturday evening I had an opportunity to discuss fail2ban and Rick gave
> me his views on why he did NOT like to run it.
> Rick, I hope I am not miss quoting you but here's my understanding:
> 1. the chance that an attacker might by this method actually guess a
> correct name and password pair is minute and
Yes, that's true so long as you don't have "joe" accounts, as Rick pointed
out - accounts whose usernames are the same as their passwords. Note that
in Debian at least, passwd won't let users set absolutely terrible
passwords (I think due to integration with cracklib), so you don't have to
trust your users - which is nice!
> 2. you don't like the idea of a program having input into your iptables.
I know Rick clarified his position on this, but I wanted to chime in on
point 2: That's why I would prefer to use hosts.deny and hosts.allow,
which have very simple syntax. fail2ban can be configured to use those
> I was discussing this with a friend and his comment was that it isn't
> against repeated password attempts that we are trying to protect
> ourselves; it's against denial of service. My understanding is that it's
> against someone who is not actually expecting to log on, but against
> someone that just is trying to overwhelm your resources.
There's that. There's also the annoyance of having to read all those
failures in your log reports. Admittedly you could use a better log file
summary tool, but you could instead just install fail2ban like I and so
many others do. (-:
For external use only.
More information about the sf-lug