1

Is there any advantage to me installing fail2ban on my VPS web server? As far as I understood, fail2ban's only purpose is to stop bruteforce and dictionary attacks by preventing consecutive password logins from the same IP addresses.

If I have a 12 character password randomly generated and containing lower case, upper case letters, 0-9 digits and symbol characters on a standard US keyboard that all amount to 69 bits of entropy (according to keepass), is there any realistic scenario where bruteforcing my ssh root login can breach my always online VPS?

Fire Quacker
  • 2,432
  • 1
  • 19
  • 29
Alex
  • 67
  • 3
  • 1
    Any reason you are using passwords? Or rather, any reason you cannot use ssh keys? I said this in a reply but someone deleted it saying "this is not an answer to what was asked". However I am wondering if what you asked is not in reality an X-Y problem. Hence my question –  Jan 29 '20 at 08:01
  • No real reason. I just like passwords and authentication tokens to be something small and something I can remember. A password, even randomly generated, can be something that I can memorize if need be if it's under 15 characters long whereas an SSH key is really really large and next to impossible for the human brain to memorize. This would prove to be a problem if I ever need to authenticate myself off a machine I don't own in a spur of the moment emergency. – Alex Jan 29 '20 at 18:50
  • In that case, and since you said "root login", may I suggest: (1) deny password for root in sshd_config, using keys for normal login (2) create a separate userid whose name is not obvious (brute forcers don't stop at trying "root"; they have a standard list of users they try but it's not a huge list). When you have to log in from someone else's machine you can use that userid+password, and then "sudo" or "su" to get to root. –  Jan 30 '20 at 00:44
  • That's a good idea. Thanks for the tip! – Alex Feb 05 '20 at 21:06

1 Answers1

5

Even if you have a password that is very strong, it's best to block attacks immediately, preferably at firewall level - something that fail2ban and other similar tools do.

You could do nothing and let the hackers pound in vain against your server forever, but that is a waste of CPU and bandwidth. There is no reason why you should allow this.

In addition to these precautions, you should still try to minimize your attack surface, for example you could restrict SSH access to a few dedicated IP addresses if that is an option for you. The idea is to expose as few services as possible.

Kate
  • 6,967
  • 20
  • 23
  • 1
    Yes, I've seen brute force poundings drop from 40 thousand per day to next to zero after implementing even a 30 minute lockout.The bots generally give up quickly and move on. – user10216038 Jan 23 '20 at 01:20