On 4/26/2022 7:15 PM, Demi Marie Obenour wrote:
On 4/26/22 01:35, Antonio Leding wrote:
Anyone who thinks that F2B merely “quiets logs” unfortunately has no
idea what F2B actually does…
Would you mind explaining?
TL;DR for many:
The fail2ban service watches logfiles for things that indicate likely
brute-force attacks, like failed login attempts, and bans the offending
IP address from accessing the machine for a certain amount of time. The
bans are deployed on Linux as rules in the iptables firewall, so if you
have the host firewall disabled, fail2ban usually won't work on Linux.
Failed logins for ssh are the most visible thing that fail2ban monitors,
and often ssh logins are monitored out of the box when fail2ban is
installed from a distribution's package repo.
I have my fail2ban service also monitoring logs for postfix, dovecot,
and haproxy, which sits between the Internet and all my web-based
services. I do very often see IP addresses banned for repeated failures
in the logs on those services.
One of the most visible benefits people often see when they run fail2ban
is lower CPU utilization. Having tons of things try to login via ssh
results in lots of encryption work for the CPU, and for lower end
servers, this can result in near-DDOS conditions. One of my raspberry pi
units has a CPU without any kind of encryption acceleration. If it were
publicly reachable, the ssh attempts it would see without fail2ban could
cripple it.
Thanks,
Shawn
