10 May
2012
10 May
'12
5:36 p.m.
On 10/05/12 17:50, James Stanley wrote:
Just in case you are interested in statistics, I have
been running
Fail2Ban since May 2010 and since then I've had around 6.5k emails
informing me that an address has been blocked, or about 9 attempts per
*day*.
Is that all? /var/log/auth.log lists 13,965 failed passwords between
11:33 and 18:54 *yesterday*.
I think your customers would be a lot more likely to
install Fail2Ban
if they knew just how common this sort of attack was.
These are my security measures:
PermitRootLogin no
AllowUsers foo bar baz
grep "Failed " /var/log/auth.log.0 | awk '{ print $11 }' | sort | uniq
-c | sort -V | less
shows where most of the attempts are going, very roughly sorted
into number of attempts. None of them use valid usernames for this
box.
In my opinion it's not worth getting worked up about.
If you are worried about *targeted* dictionary attacks, i.e.
someone going for *you* with thousands of passwords, rather
than thousands of machines with a handful of weak passwords,
then Fail2Ban makes sense. Or just make sure you have strong
passwords. Or switch to keys.