Re: [bitfolk] fail2ban

On 2012/12/12 7:50 PM, Christopher Roberts wrote: Security through obscurity is not enough by itself. It might be a good idea, it will keep the script kiddies at bay, and automated scripts searching for specific services (e.g ssh) - most of the crap shared out there simply checks for an open port, some do check for greeting. But then I may or may not have written custom scripts that basically nmap's a host, connects to each open port with a timeout of 10 seconds, and saves any greeting it gets. This was then (or not) automatically scanned via scripts .Anything out-of-the-ordinary (non-IMAP response on IMAP port, any response at all on non-standard port, etc) was hypothetically reported. Very quick, simple and effective. If someone using a script similar to the above hypothetical script targets your specific machine, or the subnet you're on, or all the subnets of the vps provider (i.e not even you directly, they're after bitfolk) then your ssh on your non-standard port will be found, and your security through obscurity would be useless. Chances are also that one who writes a script like this is technically savvy enough to have a much higher chance of getting into your system. Yeah, you will keep all the botnet-run scripts away from your port :22, and keep yourself free from attacks from them, but that's not sufficient. It's debatable whether or not it is a good idea to run ssh on a non-standard port but I don't feel like getting into that now. We run fail2ban on ssh, ssmtp, pop3s, imaps. It has reduced the load on our operators considerably - not having to look through hundreds of lines of log files to see if the attacker was successful or not. I'm considering getting it (fail2ban) implemented on http for one of our company servers too. I've seen several attempts, in quick succession, to get into our system, specifically cross-domain scripting, and mysql non-escaped queries showing our (highly confidential) data. With lax parameters, but there.