LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-07-2019, 04:10 PM   #1
Mark_667
Member
 
Registered: Aug 2005
Location: Manchester, England
Distribution: Ubuntu 19.04
Posts: 356

Rep: Reputation: 27
Is fail2ban useful on servers which only use SSH keys?


I have fail2ban on an EC2 host which has password logins disabled so the only way to login is using a private key. A colleague has said that fail2ban doesn't work for setups like this where passwords can't be used to login but I still see a lot of activity in the fail2ban logs with IPs being banned and unbanned. Is fail2ban only banning SSH brute force attacks that are trying to do password logins?

While a brute force against a key based login might not work fail2ban will still be reducing the load on the server having to process all those attempts by continually interrupting it. Is it worth doing it from that point of view?
 
Old 07-08-2019, 07:19 AM   #2
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,046

Rep: Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332
Quote:
Originally Posted by Mark_667 View Post
I have fail2ban on an EC2 host which has password logins disabled so the only way to login is using a private key. A colleague has said that fail2ban doesn't work for setups like this where passwords can't be used to login but I still see a lot of activity in the fail2ban logs with IPs being banned and unbanned. Is fail2ban only banning SSH brute force attacks that are trying to do password logins?

While a brute force against a key based login might not work fail2ban will still be reducing the load on the server having to process all those attempts by continually interrupting it. Is it worth doing it from that point of view?
Of course fail2ban still works. If anything, it works better in some ways. I used it to log the source IP of repeated breakin attempts and used that log to feed my network security block list, but that is the kind of thing I like. If you use it JUST for single server security, you can have it feed your local firewall on that server. If your server LOOKS vulnerable, they will keep trying things and may hit on one that will succeed. If your security looks tight enough, they may move efforts to easier targets.
 
Old 07-12-2019, 05:33 AM   #3
Hostech_Support
Member
 
Registered: Oct 2017
Location: India
Posts: 41

Rep: Reputation: Disabled
Any service that is exposed to the internet is susceptible to attacks from malicious parties fail2ban is not just for ssh security.
 
Old 07-12-2019, 05:49 AM   #4
Mark_667
Member
 
Registered: Aug 2005
Location: Manchester, England
Distribution: Ubuntu 19.04
Posts: 356

Original Poster
Rep: Reputation: 27
You're preaching to the converted here. I also have it watching my nginx logs the access log of which is full of requests for login pages.
 
Old 07-12-2019, 06:18 AM   #5
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,046

Rep: Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332Reputation: 1332
It is less to know when there are attacks, as to log where the attacks COME from and ensure that they are trigger actions. (Automated or manual, as long as the attackers are blocked form continuing to try.)
 
  


Reply

Tags
fail2ban, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Don't understand how to use SSH keys with "ssh" and "scp" commands on Lubuntu maples Linux - Newbie 12 03-10-2014 10:09 PM
[SOLVED] How to make multimedia keys useful in KDE javascriptninja Linux - Desktop 5 02-13-2012 10:40 AM
ssh + fail2ban only asked password once tennis_slacker Linux - Server 3 04-22-2009 01:02 PM
SSH host keys VS SSH keys kenneho Linux - Security 3 09-11-2008 06:03 AM
Configuring SSH to accept only keys (already have keys) fr0st Linux - Security 3 11-04-2003 03:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration