Is Fail2Ban Safe? Comparison with SSH Keys

fail2banssh

I'm in doubt if I should use key authentication when logging into SSH, or just go for fail2ban + ssh (root login disabled).

Is fail2ban safe or is it really better to just go ahead and generate keys and config that on all my client machines that need to connect to ssh?

Best Answer

I judge it as a stable product and I regard it as safe. As an extra precaution I would add your source IP address to the ignoreip directive in the jails.conf to make sure you don't block yourself.

Since it parses the ssh logs a TCP session is going to have to be established so spoofing source IPs and getting the TCP sequences numbers right to create a sort of backscatter variation seems unlikely.

Using keys on top of this as well isn't a bad idea. Other options that help are moving ssh to a nonstandard IP, using the "recent" iptables module, or just deciding you don't care if people try to brute force passwords. See this serverfault post for more on these.

Related Solutions

Linux – How to Automatically Add New Host to known_hosts

Set the StrictHostKeyChecking option to no, either in the config file or via -o :

ssh -o StrictHostKeyChecking=no username@hostname.com

SSH – Stop Client from Offering All Public Keys

This is expected behaviour according to the man page of ssh_config:

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

Basically, specifying IdentityFiles just adds keys to a current list the SSH agent already presented to the client.

Try overriding this behaviour with this at the bottom of your .ssh/config file:

Host *
  IdentitiesOnly yes

You can also override this setting on the host level, e.g.:

Host foo
  User bar
  IdentityFile /path/to/key
  IdentitiesOnly yes

Best Answer

Related Solutions

Linux – How to Automatically Add New Host to known_hosts

SSH – Stop Client from Offering All Public Keys

Related Topic