0

The sshd.config and fail2ban both work by blocking authentication requests over a specified path, thus notifying the attacker about the protection measures in place.

Wouldn't it be more desirable to not give any information to the attacker?

  • SSH: Still prompt for a password, despite only key authentication is allowed and just return 'wrong password' without giving it a look?
  • Fail2Ban: After n failed login attempts, reroute the attacker's traffic to a process on a different port, which from then on returns a static 'login failed' response to the attacker, indistinguishable from the servers response for wrong passwords.

Is my thought flawed? Is it possible to configure sshd or fail2ban the depicted way?

Senkaku
  • 113
  • 5
  • 2
    What do you want to achieve with that? – techraf Aug 13 '16 at 15:38
  • Giving the attacker a wrong picture of his target, from which he might derive a different approach for tackling the server. Maybe that is even counterproductive as he might now pray even more on me, as he thinks I am easy to own. :) But the same can be argued about the sense of putting a routers firewall into stealth mode or just response with 'port closed', right? – Senkaku Aug 13 '16 at 15:46
  • https://serverfault.com/questions/695850/fail2ban-redirect/696042#696042 – techraf Aug 13 '16 at 15:55
  • Something is wrong in your plan. In order for sshd to give out a password error, it would only make sense if it did indeed request a password. Also, there's no need to keep traffic coming from an attacker to a different port. When you identify that the IP is a threat, you simply drop the packets. – Julie Pelletier Aug 13 '16 at 16:30

0 Answers0