hngopher.com

       [HN Gopher] Fail2ban Sucks
       ___________________________________________________________________
        
       Fail2ban Sucks
        
       Author : ementally
       Score  : 29 points
       Date   : 2024-01-01 19:32 UTC (3 hours ago)
        
 (HTM) web link (j3s.sh)
 (TXT) w3m dump (j3s.sh)
        
       | aborsy wrote:
       | It's unnecessary, at least for SSH, in the first place.
        
       | theandrewbailey wrote:
       | > * changing your SSH port to non-root port (>1024) means that if
       | the SSH daemon dies, any userland process can take its' place.
       | this is bad.
       | 
       | If you're relying on privileged ports, you've already lost the
       | battle.
        
       | plz-remove-card wrote:
       | On {Free,Net}BSD[1][2] you get Bl*cklistd which is a much better
       | approach than parsing log files.
       | 
       | [1]
       | https://man.freebsd.org/cgi/man.cgi?query=blacklistd&sektion...
       | 
       | [2] https://man.netbsd.org/blocklistd.8
        
         | sedatk wrote:
         | Isn't that specifically DoS oriented? Doesn't seem to cover
         | fail2ban's use case.
        
       | solarpunk wrote:
       | hell yeah, brother
        
       | ufmace wrote:
       | I agree with this viewpoint. IMO, a lot of these types of threads
       | fill up fast with gimmicky things that sound good at first but do
       | nothing to increase security against realistic threats, plus are
       | at least inconvenient to set up and maintain, if not prone to
       | misfiring and blocking you.
       | 
       | The real advice for setting up new servers IMO is, SSH pubkey
       | auth is perfectly adequate security. Set it up normally on the
       | default port logging in as root, disable password login, and
       | don't worry about the noisy failed bot logins. This is a lot more
       | convenient for automated setup and maintenance and has no
       | practical loss of security.
        
         | sedatk wrote:
         | If you shouldn't worry about noisy failed logins, what's the
         | purpose of monitoring login logs? Do you mean to stop
         | monitoring them altogether?
        
       | kseifried wrote:
       | Fail2ban could be potentially useful in an era of passwords,
       | especially when systems allowed anyone to login remotely, and you
       | only had the one server because servers were very expensive.
       | 
       | However, the moment the industry went to SSH Keys en masse, and
       | got away from passwords, fail2ban stop serving any real purpose
       | other than to make people feel like they had done something to
       | improve security. Which it didn't really, especially if you
       | enforced key usage only for logins.
       | 
       | Literally, the only argument you can make is that fail2ban might
       | reduce the number of log entries.
        
         | zimpenfish wrote:
         | > the moment the industry went to SSH Keys en masse [...]
         | fail2ban stop serving any real purpose
         | 
         | That assumes people only use it for sshd, no? Which isn't the
         | case [anecdatum] for me, at least - I use it for ssh, http
         | (several servers), imap, smtp, mqtt, etc. Make a request for
         | phpMyAdmin pages on my server? 10 day timeout for you, sir.
         | IMAPS connection with incorrect username? 10 days in the bin.
         | etc.
         | 
         | Yeah, it reduces log entries but it also reduces unwanted
         | resource consumption and keeps my servers working instead of
         | chugging under non-useful load.
        
       | kuon wrote:
       | While I agree with most of the points, I think the most important
       | one is: your time is precious. Spending hours setting up things
       | is are really high price to pay for something that might never be
       | of use.
        
       | michaelt wrote:
       | _> at worst, fail2ban: causes you massive inconvinience or total
       | lockout [...] it 'll probably block you out._
       | 
       | I agree that fail2ban is useless once you've disabled password
       | login, which you should have done.
       | 
       | But is anyone really getting locked out of their own systems by
       | fail2ban unless they're doing something pretty weird? I thought
       | it gave you about 5 password attempts, and then blocked you for
       | 10 minutes - doesn't seem that draconian to me.
        
         | kleiba wrote:
         | In one of my previous jobs, it blocked me out after 3 attempts
         | indefinitely - that is, until I got a hold of the sysadmin and
         | asked him to unblock me. It was a PITA, as you can imagine. And
         | I don't understand why any sysadmin would want to put
         | themselves in a position to get bothered regularly by people
         | who tend to mistype their passwords like me.
        
       | throwaway892238 wrote:
       | I've stopped trying to convince people against using things like
       | Fail2ban. As long as it's not a company or government where
       | security is important, let them waste their time.
        
       ___________________________________________________________________
       (page generated 2024-01-01 23:00 UTC)