Question

fail2ban brute force question

Posted November 30, 2014 2.9k views

I have fail2ban installed on my Ubuntu droplet and it is working great. I have noticed that I receive notifications upwards of 100 banned IP’s each day. I guess it is a brute force attack that is changing the ip of the attacker. Is there something else I could be doing to stop these attacks? Most of the attacks look like they are targeting sasl and ftp.

Add a comment
dirk2099
By:
dirk2099

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
larry December 2, 2014

In an effort to decrease the likelihood of a successful brute force crack attempt, I have severely increased the ban times for repeated attempts. I ban the attacking IP for a year after the second time it trips a ban.

There isn’t a lot more you can do except to change the ports you’re using to something other than the standard port numbers.

The number of crack attempts used to bother me until I noticed that most of them attempting to gain access via “standard” user names, none of which I use, and I disabled root access. As long as you have a strong password or use public key access, you shouldn’t have much to worry about. The only other thing then was the number of ban notification emails I was getting. I now just automatically file those for reference, so I don’t see them unless I want to, and I really don’t think about them much anymore.

Reply Report
dirk2099 December 2, 2014
[deleted]
Reply Report

Looking for something else?

Ask a new question Search for more help