1

I have been doing plenty of research on Advanced Policy Firewall (APF) and Fail2Ban. I have a VPS under SSH brute force attack. I'm leaning towards APF and just allowing on my few IPs through. However, I would love to have the convenience of using any iP I want - which is possible with Fail2Ban.

Since Fail2Ban scans the logs and writes to the IP Tables, does anyone have experience which one is better for security and VPS performance to conserve resources? I know they can work together but would like to choose one.

DomainsFeatured
  • 181
  • 1
  • 1
  • 6

1 Answers1

0

Both the firewalls are best in industry, When choosing for the best, it based on the individual and environment requirements.

I would prefer Fail2ban over APF,

By default fail2ban is configured to work with iptables

Fail2ban adds a chain to iptables.

We have the flexibility(you can write your own alerts and filters) of configuring fail2ban to have many different actions, this allows it to be able to work with iptables, shorewall, etc.

The service itself is incredibly easy for most users because most of the difficult configuration has been taken care of for you.

The configuration files seem much more organized and by their nature seem to allow more flexibility

However, when you deviate from the standard configuration, it is helpful to know how fail2ban functions in order to manipulate its behavior in a predictable way.

Specify path to any log file (apache, ssh, nginx, mail server, ...).

Specify regex for attack patterns (e.g., more than 10 "404 errors" by the same ip on nginx access log in 6 seconds)

Specify regex to ignore certain patterns (very useful!)

Specify ban time

Send an email (or any other alert...)

Note: Please do take time reasearching what's best for your environment as all the updates will be based on the exposure and customization for our environment.

mightyteja
  • 431
  • 3
  • 13