Jerry Stuckle <[email protected]> writes: >> <snipped previous context> > > OK, that makes a lot of sense. However, there are two problems with > fail2ban, also. The first one is it requires an authentication failure. > Port probing will not trigger it (but recent can). The second being > it depends on log entries, which can be buffered. I have it monitoring > my email (smtp/imap/pop3) ports. Even though it is set to trigger after > two failures, I have seen as many as 50+ failures logged from the same > ip address within seconds before fail2ban is triggered. >
To address your first problem with fail2ban, the sshd-ddos filter for fail2ban does not require authentication failures. sshd will log a message of the form "Did not receive identification string from <IP>" if someone makes a TCP connection and then disconnects without going through the SSH handshake. > I'm not so worried about SYN attacks from spoofed IP addresses as I am > attempts to break in (despite several security measures). I want to > shut them off ASAP. > -- regards, kushal -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
