I've not heard of that happening, but I haven't used fail2ban. *shrug*
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide Tomorrow's an illusion and yesterday's a dream, today is a solution...
Originally Posted by CharlesA Explain? If somebody spoofs your ip address, these tools will lock you out. The solution is to white list your ip address, which can be done with iptables and denyhosts, not sure about fail2ban .
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface
Originally Posted by bodhi.zazen If somebody spoofs your ip address, these tools will lock you out. The solution is to white list your ip address, which can be done with iptables and denyhosts, not sure about fail2ban . Thanks for the info. I might have to play around with fail2ban, but idk.
Originally Posted by CharlesA Thanks for the info. I might have to play around with fail2ban, but idk. If you understand iptables (and I think you do), I find it easier then installing yet another service such as denyhosts or fail2ban. denyhosts uses tcpwrapper (/etc/hosts.deny) plus it has the ability to track naughty ip addresses, both in a local data base but also in a central database. fail2ban covers additional services and it a bit more complex to configure. fail2ban will monitory your logs and can be configured to watch ftp, ssh, http, etc. fail2ban uses iptables (I think). Once I learned iptables, I fine it easier to configure iptables to cover the services I need. tcpwrapper is also easy to configure and I use that for ssh.
Yup, I am using iptables so far and it's working great. A lot easier to configure too. Heh.
fail2ban can be configured to ignore ip so that will stop DOS attacks from having effect. The value is in jail.conf, [DEFAULT] section and is called "ignoreip" Hope this helps.
Malac - "Time Is Precious, Waste It Wisely" Registered Linux User 416897 Registered Ubuntu User 7567
The most important security tip is not to use stupid short passwords.
Cheers, Herman http://www.aeronetworks.ca
if you use more than just SSH for admin access like Webmin, FTP, or something then I'd recommend channeling all your admin tools over VPN using OpenVPN, then any admin tools are locked down in a VPN tunnel. Forensics is rather hard, so I'd find out what exactly has been going on before acting too fast, maybe something is bugging and just caught in a loop with sendmail, or something else that would appear as spamming.
------------------
Originally Posted by ov3rcl0ck if you use more than just SSH for admin access like Webmin, FTP, or something then I'd recommend channeling all your admin tools over VPN using OpenVPN, then any admin tools are locked down in a VPN tunnel. I usually have those only have stuff like webmin tunneled over SSH and not accessible directly from the internet. It's a bit more secure that way. Haven't bothered with VPNs for that.
You can configure iptables to limit the rate of connections attempts, which will render bruteforcing ineffective, for example: Code: iptables -A INPUT -p tcp --dport <your ssh port> -m limit --limit 6/minute -j ACCEPT
iptables -A INPUT -p tcp --dport <your ssh port> -m limit --limit 6/minute -j ACCEPT
View Tag Cloud
Ubuntu Forums Code of Conduct