On 10/05/12 17:50, James Stanley wrote:
> Just in case you are interested in statistics, I have been running
> Fail2Ban since May 2010 and since then I've had around 6.5k emails
> informing me that an address has been blocked, or about 9 attempts per
> *day*.
Is that all? /var/log/auth.log lists 13,965 failed passwords between
11:33 and 18:54 *yesterday*.
> I think your customers would be a lot more likely to install Fail2Ban
> if they knew just how common this sort of attack was.
These are my security measures:
PermitRootLogin no
AllowUsers foo bar baz
grep "Failed " /var/log/auth.log.0 | awk '{ print $11 }' | sort | uniq
-c | sort -V | less
shows where most of the attempts are going, very roughly sorted
into number of attempts. None of them use valid usernames for this
box.
In my opinion it's not worth getting worked up about.
If you are worried about *targeted* dictionary attacks, i.e.
someone going for *you* with thousands of passwords, rather
than thousands of machines with a handful of weak passwords,
then Fail2Ban makes sense. Or just make sure you have strong
passwords. Or switch to keys.
From mike@??? Thu May 10 18:39:03 2012
Received: from mail-ey0-f176.google.com ([209.85.215.176])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <mike@???>) id 1SSYGV-0005ec-Jp
for users@???; Thu, 10 May 2012 18:39:03 +0000
Received: by eaab16 with SMTP id b16so871357eaa.21
for <users@???>; Thu, 10 May 2012 11:38:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zanker.org; s=google;
h=message-id:date:from:user-agent:mime-version:to:subject:references
:in-reply-to:content-type:content-transfer-encoding;
bh=BtuGyI+4LPsG1TAa0G8bMnsTm5Pa4ImDwPDDaxFd6is=;
b=eq5QBLeuJcR2L58TiY00ByH3OZfbWsh7jwCWSXbbCDL8MF5gQBzwEuzscdvHLUfvW5
Bsj7Bw/ggQ5S+cuAVejaDaNJGYur24hupW0Q+InO+tKXbwaoJmpzLt049FUhauvBZmK1
YWXkmskcNFRV5kk4yN79NCHK1itx29Ro5N3wM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=message-id:date:from:user-agent:mime-version:to:subject:references
:in-reply-to:content-type:content-transfer-encoding
:x-gm-message-state;
bh=BtuGyI+4LPsG1TAa0G8bMnsTm5Pa4ImDwPDDaxFd6is=;
b=evOOtKK8zR0t1rwHbQt2kEsfMT8T7zaitLKy4mMSKGFS7HsKhRhfbj3I+od0rDwgqq
z2jVhkUKm6ZLjqrXiHHMPNRknnEC+7+Fvt7qByDFoFcDYnowOhYLnbqNrEsbZiujjWM6
oP/wgy/E3sP1AKb
