Open deutrino opened 4 years ago
Sounds good! :+1:
Hi @deutrino - I'm just working back through the issue tracker (actually was over a week ago when I added and changed the milestone to v16.1) and noticed that this one never got applied (or further discussed, etc).
In essence, this sounds like a great idea, although I do still have some reservations re inexperienced users accidentally locking themselves out for extended periods of time.
Are there any ways that we can somewhat mitigate that? Or can you explain to me why you don't think that is a concern (if indeed that's the case)?
It would require some work more than what comes "out of the box" with fail2ban, but I can imagine some combination of config work between the sshd & recidive filters, and fail2ban in general, that results in some combination of
I have the very smallest beginnings of this in a cookbook I use on new TKL machines, I haven't gotten to the point of having much in TKLDev ready form yet. But eventually I can adapt this and have concrete changes to suggest which I hope will be appropriate for all users :)
@deutrino - ok sounds promising! I look forward to hearing more about this. :smile:
I've just moved this to the v18.1 milestone as I don't think we'll get to it for v18.0, but I think it would be a good thing to have!
tl;dr this is a very inexpensive way to drastically cut down on brute force log noise. it watches the output of the ssh filter and bans repeat offenders for much longer durations. with the numbers set conservatively, this will ban high-volume brute force sources with minimal impact to Turnkey users.
the 'findtime' and 'bantime' variables should be the subject of some discussion - I use 12 hours and 1 week respectively, which is more aggressive than is appropriate for defaults (maybe 12h / 24h would suffice)
let me know thoughts, and if interested I'll document the config changes necessary.