1

Is there any point to running fail2ban to protect your SSH connection if you connect from a static IP?

As far as I can see having fail2ban running means that you effectively open up port 22 to hackers as it puts an entry in your iptables to allow port 22 connections from any IP. It may then ban them according to your jail settings but would it not be safer to have the following iptables entries instead?

Chain INPUT (policy ACCEPT)  
1 ACCEPT     tcp  --  {**mystaticIP**}         0.0.0.0/0           tcp dpt:22  
2 REJECT     tcp  --  0.0.0.0/0                0.0.0.0/0           reject-with icmp-host-prohibited  

**OR** maybe this option, with fail2ban, is safer?

Chain INPUT (policy ACCEPT)  
1 fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22  
...  
Chain fail2ban-SSH (1 references)  
1 REJECT     all  --  0.0.0.0/0               0.0.0.0/0           reject-with icmp-host-prohibited

with jail.local setting ignoreip = 127.0.0.1/8 {mystaticIP}

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
funnyfish
  • 25
  • 5

2 Answers2

2

This is somewhat opinion-based, but I think that if you can limit access to a service to a set of specific IPs and block everything else, this is preferable over a service like fail2ban, as you also prevent a theoretical exploit of that service.

It's entirely possible that someday someone finds a bug in OpenSSH that grants access if certain circumstances are met. Fail2ban would not prevent that, but if an attacker can't even connect from his IP, you are still protected.

Sven
  • 97,248
  • 13
  • 177
  • 225
2

Limiting access to an application to a specific subset of trusted IPs is always less risky than opening it the world at large. Consider the SSH example you put forth. Fail2ban can potentially slow down attempts to brute force your SSH server. Its use case is generally for systems that by necessity must be reachable from the internet at large. This is useful, but does nothing if there is a vulnerability in SSH.

Preventing the packets from even reaching your SSH daemon using iptables would prevent malicious traffic from reaching it. It also would prevent brute force attempts from the world at large. Unless one of your trusted IPs is first compromised or otherwise used as a reflection point this control is much more effective than fail2ban.

theterribletrivium
  • 886
  • 9
  • 10