Re: random usernames in attempts to break in to my machine?
On Tue, Apr 05 2022 at 09:23:11 AM, <tomas@tuxteam.de> wrote:
> On Tue, Apr 05, 2022 at 03:01:30AM -0400, gene heskett wrote:
>> On Tuesday, 5 April 2022 01:46:32 EDT tomas@tuxteam.de wrote:
>
> [fail2ban]
>
>> Well, it seems to me that if something as automatic as fail2ban were to
>> be used, its better use would be in the router, stopping such before it
>> reaches into the home network [...]
>
> The fly in this ointment is that fail2ban relies on feedback from the
> server applications (mail server, web server, sshd etc) to adscribe
> "suspicious activity" (whatever that is: you get to decide with your
> configs) to source IP addresses. Typically login failures and their
> ilk, gleaned from the corresponding log files.
>
> And those apps aren't running in your router. So you'll have to teach
> fail2ban to run in some distributed fashion (perhaps it does this out-
> of-the-box, I don't know).
>
fail2ban lets you decide what should be done when it makes a decision
about banning/unbanning IPs. You can give it commands to run in each
case. The defaults for those are to use the appropriate iptables
commands, but you can instead give commands that would configure your
router.
> You gotta be careful: kicking out an IP for just one login failure
> might shut *you* out because you forgot to ssh-add your key (or because
> you mistyped your password once). OTOH, if "they" keep changing their
> IP address for each retry, you wouldn't catch them otherwise. So it
> is a fine line to walk. You might try to trigger on more specific
> patterns, which means you'll have to adapt your recognisers, yadda,
> yadda.
>
> Take care & don't forget having fun. That's what computers are for,
> after all.
Reply to: