Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
fail2ban is a different thing. Read the documentation: https://github.com/fail2ban/fail2ban.
bans IP addresses conducting too many failed login attempts.
The main goal is to reduce the load on the computer, simply by disabling that external host in the firewall.
AI hacking tools and script automation have made dictionary attacks insanely easy to automate. If you allow password access without a cover mechanism (2FA etc.) then giving an attacker enough time ensures that they WILL be able to break into your system.
Fail2ban mitigates that risk by detecting the attempt based upon failed attempts from the same IP and blocking that IP. Breaking in using a dictionary attack MAY still be possible, but will take orders of magnitude longer in the attackers best case. Using fail2ban avids giving the attacker the time he needs to succeed. We want to not only strip from them the success, we want to prevent the collection of information about failure!
Fail2ban, properly used, improves your security profile. It does not make you totally secure, but it reduces the risk from that one kind of attack greatly.
I recommend it for hosts providing services where clients may access your host from networks that you may not fully control.
Normally a client only machine (laptop, most desktops) do not export remote access logins and have no need to fail2ban if they run a well configured firewall.
It has been awhile but the last time I was attacked the script kiddies had written around fail2ban and was automatically switching IP addresses. I had quite a list of banned IP addresses. I switched to solely using a VPN and turned off ssh access from the outside...
I love using a VPN, but only if I control (to an extent I can trust) both ends.
Th only completely secure machine I know of is held on a military base, in a locked room, with a guard on the door who is monitored by the guard on the hall and BOTH are monitored remotely by a security response team. The room has isolated power, no networking, and no one is allowed in with any electronic devices or recording equipment (to include a pen!) without top secret clearance, a verified need to know, and a required briefing before and after access. They get in-briefing, escorted in, there is a strict time limit on access, do a lookup and read the information, and get escorted out and debriefed. And no, I am not one who ever got to see what is on that machine.
A VPN does not secure your machine, it only secures certain information over the network while it is in transit.
Fail2ban requires a firewall, and does not secure your machine: it only provides one step to secure your primary access protocol.
Your firewall does not secure your machine, it only helps secure certain kinds of network threats.
A security concentration (about 30 Quarter hours or ~20 Semester hours at University) is a field of study and non trivial, and most of it probably does not pertain to the OP.
If you need advice on security, it might be useful to discuss what you want to secure, why, and what work you are willing to do to provide security. With a bit (lot) more information we might provide more accurate and targeted advice. Fail2ban is one common sense tool to enhance protection of your ssh connection from dictionary attacks or hacking over and above the ssh/sshd settings and features. The information that would help us determine if it is appropriate or sufficient for a specific individual case is lacking.
OP: is there more information you need or additional question related to this subject that you need us to discuss?
AI hacking tools and script automation have made dictionary attacks insanely easy to automate. If you allow password access without a cover mechanism (2FA etc.) then giving an attacker enough time ensures that they WILL be able to break into your system.
Fail2ban mitigates that risk by detecting the attempt based upon failed attempts from the same IP and blocking that IP. Breaking in using a dictionary attack MAY still be possible, but will take orders of magnitude longer in the attackers best case. Using fail2ban avids giving the attacker the time he needs to succeed. We want to not only strip from them the success, we want to prevent the collection of information about failure!
Fail2ban, properly used, improves your security profile. It does not make you totally secure, but it reduces the risk from that one kind of attack greatly.
I recommend it for hosts providing services where clients may access your host from networks that you may not fully control.
Normally a client only machine (laptop, most desktops) do not export remote access logins and have no need to fail2ban if they run a well configured firewall.
Hello,
Thank you so much for your reply.
With this situation, would you still recommend Fail2ban?
Hello,
Thank you so much for your reply.
With this situation, would you still recommend Fail2ban?
See
Quote:
I recommend it for hosts providing services where clients may access your host from networks that you may not fully control.
So basically, any host you can access using ssh where any host on your internal network access or be accessed by the internet should use recommended secure settings for sshd and other services, and should use fail2ban to detect and react to dictionary attacks.
I have used in in enterprise settings and in my home network. IF you only have a single laptop and cell phone, or no devices that can be accessed using ssh, then you probably do not need it. (You MAY need other solutions, because you are dealing with different threats.)
Hello,
Thank you so much for your reply.
With this situation, would you still recommend Fail2ban?
It always depend on the structure of your network and the services you use (if you have a firewall, vpn,....).
Fail2ban is a tool to manage failed login attempts, if you have a lot of them you ought to use it. If you can't see those attempts you don't need to protect your host against that.
Quote:
Originally Posted by Jason.nix
Hello,
Thank you so much for your reply.
Can the hacker guess the SSH account other than root?
They do their best, they have a huge list of "regular" accounts and you can be sure they will try them out.
I put a web server on the internet from my home DMZ. Within 22 minutes I was getting attacks. Fail2ban had blocked half of Asia, parts of Russia, subnets in North Africa and one zone south in Africa (I cannot recall the country right now), a small portion of South America, a couple of subnets in North America, and one nasty guy in Australia within a week. We are talking THOUSANDS of individual blockings!
I had great fun automating whois and mapping the origin nodes. Eventually I set up a honeypot just for attracting and logging threats for fun.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.