Hacker News new | past | comments | ask | show | jobs | submit login

Is there any point in Fail2ban if you're using keys and have disabled passwords? I guess defense in depth and all that



> Is there any point in Fail2Ban if you're using keys and have disabled passwords?

I’d say no. Back in the mid 2000s, I used to use Fail2Ban as an extra layer of defense but users on Stack Exchange and Hacker News (like tptacek¹) convinced me that it was pointless if I’d already disabled password authentication.

To minimise noise in my logs and to have an extra layer of defense, I only allow TCP access to Port 22 (with rate-limiting) from my home ISP’s network block, my work IP address and via the Wireguard network interface (in case my home or work ISP change the IP addresses they provide to customers).

I have considered using Fail2Ban to stop spammers using too much Postfix resources but so far I’ve got away with postscreen and configuring Postfix to reject spam attempts as early as possible during the SMTP transaction. Similarly, my Apache server gets hammered with exploit attempts but I haven’t got around to investigating how useful Fail2Ban would be for minimising how much server resources are used in responding to these malicious HTTP requests.

¹ https://news.ycombinator.com/item?id=37795100#37796639


I move SSH to a different port... I know it's easy enough to discover through a port scan, but it cuts a LOT of noise down. For home, I only allow the wireguard port from the outside.

I tend to start with Ubuntu Server these days as the SSH config is pretty much where I want in the box and will import my public key during setup. I also now use Caddy for reverse-proxy duties over Nginx.


Instead of rate limiting, more than a decade ago I started simply changing SSH port from 22 to something else.

In case I needed to proxy through home, or access something like web ui for home heating system - I simply used ssh tunnel (socks localhost etc)...

Of course now all that is simply done via WireGuard/Tailscale/etc.


I'd even go one step further and say portknocking would do a lot of good too, in addition to changing the default SSH port.


If anyone actually does this - please have a backup for the time when either Fail2Ban or/and PortKnocking (so both) fail or lock you out.


I've never had knockd fail me, can you fill me in on what pitfall got yours to go down? Just in case.


Besides dummy stuff like wrong config of knockd itself - which hopefully gets ironed out during initial (local/on-prem setup).

Every now and then particular knock ports might be blocked (DROP) by cliënt side ISP/wifi/etc you happen to be using at the moment.

Or your fiber optic connection package gets a speed boost, along with being moved behind CGNAT.

OK in my case switching from cable to fiber already included ending up behind a CGNAT, but people already on that ISP actually got that 2in1 surprise.


I put ssh on ipv6 only on a cloud vps I was using. Crickets. No one ever noticed it was there.


Oh they knew. Just no one has IPv6 to connect.


Fail2Ban doesn't do much for SSH other than keeping your logs cleaner if you're using key based auth. It's quite good for protecting other services like Vaultwarden for example. Of course, it's just one additional layer. The important part is to configure the services themselves to be more secure.


Fail2ban can also block ips for other services that may be listening beyond just ssh.


I suppose that helps recoup some system load that otherwise would be wasted in lengthy random port/service poking




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: