Subj : Alternative(s) to ipset on OpenVZ
To   : Joaquim Homrighausen
From : Alexey Vissarionov
Date : Tue Dec 19 2017 07:00:00

Good ${greeting_time}, Joaquim!

18 Dec 2017 21:40:18, you wrote to me:

 av>> Very dangerous thing... However, it makes some fun to
 av>> use it against the admin^Widiot who installed it :-)
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 JH> I'm curious ... why is fail2ban dangerous?

Didn't you read the message before answering it?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5642
and some others discovered since that.

 av>> Being a security expert, I know (and use; and, obviously,
 av>> recommend) better method: limit the number of connections per
 av>> minute to 2 or 3, thus making any and all bruteforce attacks
 av>> time-ineffective.
 JH> I don't see why these are mutually exclusive ... but maybe I'm
 JH> not an expert enough. If you use key-only authentication for SSH

Don't you?

 JH> (for example), it makes perfect sense to add someone to a ban
 JH> list for 15-600 minutes if they fail 3 times (for example).

Now imagine someone had tricked your funny stupid fail2ban to ban _you_...

 JH> I quite often legitimately connect with 2-3-4 SSH sessions to the
 JH> same server within a few minutes, but they don't fail of course :)

I guess you simply don't know about screen.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-cmlxxvii-mmxlviii

.... :wq!
--- /bin/vi
 * Origin: http://openwall.com/Owl (2:5020/545)

.