Anyone who's followed stats over the last couple of years knows China, the US and Russia rotate in the most malicious activity top five. Plus a scan originating from China doesn't automagically mean it's the chinese, anyone could be using those machines.


That's only what's been discovered and cleared for publication. And the recent spate of APTs weren't exactly all chinese efforts, right?..

True, but since the slackware installation instructions tell you to install "everything unless you know what you're doing" that's somewhat debatable I think ;-p Anyway, if you run Python already the package itself doesn't take up much space.


Long time since I read that phrase and argument. Do you actually know how much memory Python would need for running fail2ban or if the OP has very limited RAM?


I've seen single hosts scan for hours on end at n connections per second.

Advanced persistent threat (APT) network attack have, indeed, been rising -- and originating from all over the place -- so, no, probably not all of Chinese origin. However, the evidence seems to indicate the majority originating are in China.

Keep in mind that there a 12-story building on the outskirts of Shanghai that is the headquarters of Unit 61398 of the People’s Liberation Army.

Quoting from The New York Times, "Chinese Army Unit Is Seen as Tied to Hacking Against U.S." 19 Feb 2013 article (see http://www.nytimes.com/2013/02/19/te...anted=all&_r=0):
And, of course, not just the U.S. is being targeted -- so's everybody else with anything worth knowing.

Is the article worth reading? Is The New York Times to be believed? Is China (as in state-sponsored) doing this?

I think ignoring or pooh-poohing is at your peril. You can, of course, decide for yourself.

unSpawn,

I'll agree that the system requirements of fail2ban are not something to be concerned with; although if you are running on a purpose built firewall type appliance box with only a couple hundred megs of ram it might matter. There are still human maintenance issue though, you have an application that does not ship with the platform so will need to be considered at each upgrade; and kept current itself and ban lists to manage. Not munch effort but certainly more than the iptables xt-recent solution which is pretty much shove in rc.firewall and forget about it.

As to the APT issue that is clearly not his problem. No APT would have thrown the dictionary at sshd like that unless they already knew the target did not review logs and has not SEIM or automatic log analysis in place. While I have seen those guys do slow scans are part of recon etc; and they might even try the obious root/toor admin/p@$$w0rd type things on an application once that does not work they are not going to try and run a dictionary attack for months at an average rate of 1 attempt every 60 seconds. They have better things to do.

They are going to A) spear phish you and get you do something that will let them back in; java applet reverse shell on a cloned website for example. B) identify something like sshd you are running; find or develop an exploit for it offline and than crack it in one attempt against you. Fail2ban and firewalling won't help you there. Good inline IPS might but most likely not. Which gets you back to the oldest solutions. Make sure everything you have is patched and minimize the attack surface don't run anything you don't need.