Hello, This is off topic anyway but I think you're right. Fail2ban is not for the lazy, it's for people who have a lot of time to lose in an inefficient solution. Before cloud era F2B was a really great solution, but as it's been pointed out, current attackers can leverage 100s ou 1000s of IP addresses to evade detection / rate limiting control and obviously Fail2ban. Don't read me wrong, F2B and other similar protections are nice to have (I'm using blacklistd on FreeBSD for example), but their are being obsoleted by the change in attacks pattern. Thinking of F2B as a silver bullet is a lack of understanding infosec, to use your own words.
The really lazy solution is the one that cost almost nothing, is light maintenance, and solve your problem once and for all. Allowing only client certificate for authentication can be a perfect and lazy solution, depending on your context. This is absolutely bullet-proof, 100% efficient against brute-force and can be low/medium maintenance. Obviously YMMV as it's highly dependent of your context (how many users, how you provide support for them, etc.). patpro April 26, 2022 7:32 AM, "Antonio Leding" <t...@leding.net (mailto:t...@leding.net?to=%22Antonio%20Leding%22%20<t...@leding.net>)> wrote: I’ve been using F2B for over 4-5 years and it’s fantastic. F2B is just one of many very useful tools in the belt of any knowledgable infosec practitioner. To consider F2B as “only for the lazy” speaks more to a lack of truly understanding infosec than it does of the tool itself… ------------------------------------ On 25 Apr 2022, at 0:07, Laura Smith wrote: ------- Original Message ------- On Monday, April 25th, 2022 at 05:26, ミユナ al...@coakmail.com (mailto:al...@coakmail.com) wrote: do you know how to stop passwords from being brute-forced for a mailserver? do you have any practical guide? Simple. You've got two options: a) Use strong passwords (and if you run an automated password changing system, enforce strong passwords) b) Use client-certificate authentication Stuff like fail2ban is for the lazy. You should be focusing on solving the underlying cause of the problem, i.e. using one of the two options above. The problem with stuff like fail2ban is that you are basically playing whack-a-mole. IP address blocking simply does not work 2022, attackers have too many options (i.e. they can hop between cloud providers, they can use IPv6 to give them massive ranges to play with etc. etc.).
