Subj : Alternative(s) to ipset on OpenVZ
To   : Alexey Vissarionov
From : Joaquim Homrighausen
Date : Tue Dec 19 2017 13:39:16

 av> Didn't you read the message before answering it?

Of course I did.

 av> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5642
 av> and some others discovered since that.

Thanks for pointing that out.

 JH>> I don't see why these are mutually exclusive ... but maybe I'm
 JH>> not an expert enough. If you use key-only authentication for SSH

 av> Don't you?

That's what I said.

 JH>> (for example), it makes perfect sense to add someone to a ban
 JH>> list for 15-600 minutes if they fail 3 times (for example).

 av> Now imagine someone had tricked your funny stupid fail2ban to ban
 av> _you_...

Yes, imagine that.

 JH>> I quite often legitimately connect with 2-3-4 SSH sessions to the
 JH>> same server within a few minutes, but they don't fail of course :)

 av> I guess you simply don't know about screen.

Oh but I do. I don't know what in my above text led you to that conclusion.



 -joho

---
 * Origin: code.code.code (2:20/4609)

.