On 15/11/2016 9:52 PM, Sean Greenslade wrote:
On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote:
Fail2ban might be able to do the whack-a-mole in a sensible manner that
allowed for innocent interruptions but banned the bad guys
For the kind of attempts I typically see, F2B won't do much. It's
usually not a brute force type of attach. Generally it's only a single
connection that either attempts to fingerprint the server (checking for
known vulns) or just tries a few "easy" passwords (e.g. root/root,
pi/raspberry).
F2B is pretty flexible.
You can say that any IP that fails to login on root or pi 3 times in a
week should be banned for a month or forever if you really see a subtle
attack.
You have control of the frequency of log messages that constitute an attack.
You can look for any string in the log so you can watch for the
vulnerability probes as well as login attempts.
Ron
I would suggest simple connection rate limiting and enforcing strong
passwords as a better (in my opinion) option.
--Sean
--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
