tensai at zmonkey.org
Mon Apr 15 07:58:20 MDT 2013
On 04/13/2013 12:10 PM, Andy Bradford wrote:
> Thus said Corey Edwards on Fri, 12 Apr 2013 10:08:06 -0600:
>> The primary advantage fail2ban would have over your iptables filters
>> is being able to differentiate successful and failed logins.
> If one can't be bothered to use SSH keys, or get one's password right in
> 10 times per minute (assuming I interpret the iptables rules correctly),
> one deserves to be blocked. ;-)
The scenario I'm describing is a bunch of successful logins in very
quick sequence. 10 logins per minute is a lot, but I could imagine some
times where it might happen. To get that rate, you'd almost have to be
using keys (doesn't everybody?). In that situation, fail2ban could
safely ignore those connections but iptables would incorrectly detect it
as an attack.
More information about the PLUG