Been using UNIX since the late 80s; Linux since the mid-90s; virtualization since the early 2000s and spent the past few years working in the cloud space.
Location
Alexandria, VA, USA
Education
B.S. Psychology from Pennsylvania State University
I run fail2ban on any internet-facing systems I'm responsible for. This article mad me curious, so I did a quick scan of my failed logins log (on my personal VPS). Results are pretty grim:
logrotate had rotated the log earlier today ...so the following numbers are < 24 hours
5732 attempts
876 unique userids (used tr to convert them all to lowercase then ran that list through uniq)
40,241 login failures cataloged by fail2ban
12,433 IPs banned
55 IPs within the ban-rotation window (1 hour for the ssh service, specifically)
The fail2ban stuff gets even more grim when extended to SMTP
Been using UNIX since the late 80s; Linux since the mid-90s; virtualization since the early 2000s and spent the past few years working in the cloud space.
Location
Alexandria, VA, USA
Education
B.S. Psychology from Pennsylvania State University
Yeah. ip-set rules are great for ensuring across-boot persistence, too.
One of these days, I'll get around to integrating my deployment-configuration with a "phone home" hook that informs the configuration service, "when re-provisioning this host or provisioning new hosts, blacklist these IPs".
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I run
fail2banon any internet-facing systems I'm responsible for. This article mad me curious, so I did a quick scan of my failed logins log (on my personal VPS). Results are pretty grim:logrotatehad rotated the log earlier today ...so the following numbers are < 24 hourstrto convert them all to lowercase then ran that list throughuniq)sshservice, specifically)The
fail2banstuff gets even more grim when extended to SMTP+1 for
fail2ban! Works like a charm. I've addedip-setto it lately and this has helped to reduce load significantly.Yeah.
ip-setrules are great for ensuring across-boot persistence, too.One of these days, I'll get around to integrating my deployment-configuration with a "phone home" hook that informs the configuration service, "when re-provisioning this host or provisioning new hosts, blacklist these IPs".