Subj : Alternative(s) to ipset on OpenVZ
To   : Alexey Vissarionov
From : Joaquim Homrighausen
Date : Mon Dec 18 2017 21:40:18

 av> Very dangerous thing... However, it makes some fun to use it
 av> against the admin^Widiot who installed it :-)

I'm curious ... why is fail2ban dangerous?

 av> Being a security expert, I know (and use; and, obviously,
 av> recommend) better method: limit the number of connections per
 av> minute to 2 or 3, thus making any and all bruteforce attacks
 av> time-ineffective.

I don't see why these are mutually exclusive ... but maybe I'm not an expert 
enough. If you use key-only authentication for SSH (for example), it makes 
perfect sense to add someone to a ban list for 15-600 minutes if they fail 3 
times (for example).

I quite often legitimately connect with 2-3-4 SSH sessions to the same server 
within a few minutes, but they don't fail of course :)



 -joho

---
 * Origin: code.code.code (2:20/4609)

.