[lug] keeping up with attacks

Rob Nagler nagler at bivio.biz
Sat May 4 09:52:07 MDT 2019

My $.02 is that fail2ban and blocking specific IPs is more expensive than
letting sshd handle them. Spend your energy on reducing the general risk
profile of your network and services.

There are thousands of ssh attempts a day against our servers to login as
root. And, we have only a couple of public ssh servers. The non-public only
let through a handful of trusted IPs via iptables.

The public servers don't notice the attacks, because it's so fast for sshd
to reject them. fail2ban increases the server (and my mental) load without
a decrease in risk. There are millions of bots out there. If sshd has a
zero-day, we are  trouble, but so would AWS, GCP, Citibank, Amex, etc.
They'll be the first to be breached, not our servers. My experience is that
those patches come along pretty quickly. Much faster than the botnets can
be reprogrammed to attack the millions of IPs that are running sshd.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190504/7849a61e/attachment.html>

More information about the LUG mailing list