thought/fail2ban-sux.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
fail2ban sucks 2020-03-22 -> fail2ban sucks i've made this argument countless times on the internet, so i figure i'd write it down so that i can just link to it instead. this tends to be a controversial opinion, i think. critical note: i am not saying that fail2ban sucks for every use-case, i am mostly writing this in such a way to try and counteract the fervant fail2ban recommendations that i see everywhere, which i think are dangerous. if you like fail2ban, fine, use it - but these are my thoughts. for those unfamiliar with fail2ban, generally speaking, it is a piece of software that monitors log files for login failures, and then interacts with your firewall to block the IP addresses belonging to those failures. It is configurable such that one can say "if an IP fails to login via SSH 10 times in a row, block it for 1 hour." i see fail2ban commonly recommended on the internet. typically when someone new to server administration sets up a server and asks about all of these weird SSH attempts, that's when fail2ban comes up. here are some quotes from fail2ban fans: > One handy service is fail2ban, which will automatically > IP addresses to the firewall if enough failed attempts > are tried > To ban those, you could try to use fail2ban. Seems to be a common approach to > this kind of bot activity. > In this case, a good password with iptables rate limiting, fail2ban & log > monitoring is better. > Non-standard port and/or fail2ban for logspam if you're having fun. > I find the best/laziest combo is ufw/ssh/fail2ban/f2b-loop/logwatch. i have a few arguments, this is the summary: do not change your standard ports. do not use fail2ban. do harden your applications with their built-in mechanisms. if you need super extra security for certain apps, only allow trusted IP ranges - use an IP whitelist. most everyone else is overengineering. fail2ban sucks, let me count the ways. fail2ban: * will not stop an advanced persistent threat * will inconvinience you at some point * may inconvinience *your users* at some point * opens you up to fail2ban vulnerabilities * may make you feel like your system is more secure than it is * is no more secure than a properly configured application * is actually _less_ secure than a properly configured application at best, fail2ban: does nothing at worst, fail2ban: causes you massive inconvinience or total lockout let's put ourselves in the mindset of a new system administrator. they spun up a new capsul[1], they're peeking around their new system. suddenly they notice their SSH logs - hundreds of ip addresses from russia and china attempting to log into their systems over and over. naturally, this triggers what one might call "bad vibes." it makes the system feel less clean. who decided that this was okay? i just finished setting this system up and it's already under attack!? do not listen to their advice, new admin. simply setup SSH properly, and don't worry about a thing. here is my rationale. first, let's think about who exactly those IPs belong to. * bots there are tens of thousands of bots trying common username/password combination against every service known on earth - SSH isn't special. This goes for every login page on the internet that expects a username and a password. Think email and neocities. Think wordpress admin pages and databases interfaces left wide open. if you do not leave your services listening on public interfaces while they're configured with usernames like "admin" and passwords like "admin", you have nothing to worry about. * curious users friends looking to prank you, kids with no idea what SSH even is, maybe that one girl at the bar you pissed off who has Kali installed on her laptop. pro tip: these attempts will likely be less successful than the bots. * advanced persistent threads usually state actors, maybe a botnet operator with a grudge. in either case, fail2ban does nothing - these users can scream through proxies like they're seeing the matrix. they can change their IP address nineteen million times a second without blinking. you can ban a quarter of the IP addresses on earth with fail2ban - the attacker will use another quarter. what i'm saying is, if you're fucked, you're fucked. fail2ban will not help. but if you're secure, you're secure, fail2ban will not help. see what i'm getting at? OpenSSH i'll speak about OpenSSH specifically, but only because it's brought up so often. here are the hardening guidelines that you should abide by. * generate a password protected private/public keypair * use key-based authentication to your system(s) * turn off username/password auth you will still see the failed login messages. ignore them. unless someone hacks your key _and_ the decryption password, they **are not getting in via SSH**. it would take roughly 2,000 years using the dedicated compute power of every computer on earth put together to bruteforce that key. don't sweat it. they are not getting in. fail2ban is good for freeing up resources though, right? wrong. fail2ban has to fuck with a live firewall. it'll probably block you out. every second of your time is worth more than a hundred hours of your compute operating properly. setting up fail2ban takes time, and so does getting yourself unblocked from it. the resources consumed by 10 SSH login attempts per minute is staggeringly low. * if someone is trying to DDOS you, sorry, _you are going to get DDOS'd_, fail2ban will not help. but j3s i have a very valid super-dooper good reason for changing the default OpenSSH port of 22 to some other port well, okay fine. go ahead. but please take the following into account: * changing your SSH port to non-root port (>1024) means that if the SSH daemon dies, any userland process can take its' place. this is bad. * changing your SSH port means that you'll have to do a bunch of fuckery to get basic functionality working. you will very likely waste hours of your life. you will have to google "rsync ssh non standard port" every time you want to use rsync. you will have to remember scp flags. this is also bad. probably worse. * you will have to tell the port to anyone else who tries legitimately accessing your system. in my mind, the only valid use-case for switching your default SSH port is that flipping it to listen on port 80 or 443 will get around most workplace firewalls. well okay fine, OpenSSH is a special case though, right? any application that is used to being bruteforced will likely have protections implemented that you can use against such bruteforcing. for an interesting read, check out spamd: https://man.openbsd.org/spamd > When a sending host talks to spamd, the reply will be > stuttered. That is, the response will be sent back a > character at a time, slowly. For blacklisted hosts, the > entire dialogue is stuttered. For greylisted hosts, the > default is to stutter for the first 10 seconds of > dialogue only. hilarious. are you okay? not really aka, my recommendations: * understand the security mechanisms built-in to your application/daemon * use those mechanisms * get on with your life misc [1]: https://capsul.org fail2ban CVEs: https://www.cvedetails.com/vendor/5567/Fail2ban.html SSH hardening: https://linux-audit.com/audit-and-harden-your-ssh-configuration/