Hey Jeroen > A single IP will only hit you a few times... typically below the > threshold of standard fail2ban or other alarm bells. > The distributed scanner will keep on trying by using another IP from > their vast botnet... Well, from experience I cannot confirm that at all. Apparently, there are still a lot of script kiddies out there or less sophisticated attacks going on. Fail2Ban sure helps with those.
If you want to use it in a more aggressive way you can also combine port knocking with fail2ban and ban source IPs the first time they "misbehave". > The big question: Why is that SSH port open to the world ? :) Depends on the use case. I second your opinion when it comes to best-practices but I am also running a couple servers with SSH open to the world because I don't have, need or want an extra jump host at that location to access a single system for example. So there are reasons. Cheers, Manuel -- Manuel Schweizer cloudscale.ch AG Venusstrasse 29 CH-8050 Zürich Fon: +41 44 55 222 55 Fax: +41 44 55 222 56 Web: https://www.cloudscale.ch _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
