On Tue, Apr 05, 2022 at 03:01:30AM -0400, gene heskett wrote: > On Tuesday, 5 April 2022 01:46:32 EDT tomas@tuxteam.de wrote: [fail2ban] > Well, it seems to me that if something as automatic as fail2ban were to > be used, its better use would be in the router, stopping such before it > reaches into the home network [...] The fly in this ointment is that fail2ban relies on feedback from the server applications (mail server, web server, sshd etc) to adscribe "suspicious activity" (whatever that is: you get to decide with your configs) to source IP addresses. Typically login failures and their ilk, gleaned from the corresponding log files. And those apps aren't running in your router. So you'll have to teach fail2ban to run in some distributed fashion (perhaps it does this out- of-the-box, I don't know). You gotta be careful: kicking out an IP for just one login failure might shut *you* out because you forgot to ssh-add your key (or because you mistyped your password once). OTOH, if "they" keep changing their IP address for each retry, you wouldn't catch them otherwise. So it is a fine line to walk. You might try to trigger on more specific patterns, which means you'll have to adapt your recognisers, yadda, yadda. Take care & don't forget having fun. That's what computers are for, after all. -- t
Attachment:
signature.asc
Description: PGP signature