I hope fail2ban default ban rule will work,
or should we add some more rules to it? ---- On 星期二, 15 十一月 2016 19:11:41 -0800Ron Wheeler <rwhee...@artifact-software.com> wrote ---- On 15/11/2016 9:52 PM, Sean Greenslade wrote: > On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote: >> Fail2ban might be able to do the whack-a-mole in a sensible manner that >> allowed for innocent interruptions but banned the bad guys > For the kind of attempts I typically see, F2B won't do much. It's > usually not a brute force type of attach. Generally it's only a single > connection that either attempts to fingerprint the server (checking for > known vulns) or just tries a few "easy" passwords (e.g. root/root, > pi/raspberry). F2B is pretty flexible. You can say that any IP that fails to login on root or pi 3 times in a week should be banned for a month or forever if you really see a subtle attack. You have control of the frequency of log messages that constitute an attack. You can look for any string in the log so you can watch for the vulnerability probes as well as login attempts. Ron > > I would suggest simple connection rate limiting and enforcing strong > passwords as a better (in my opinion) option. > > --Sean > > -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102
