Is it worthwhile running fail2ban, sshdfilter or similar tools, which blacklist IP addresses which attempt and fail to login?
I've seen it argued that this is security theatre on a "properly secured" server. However, I feel that it probably makes script kiddies move on to the next server in their list.
Let's say that my server is "properly secured" and I am not worried that a brute force attack will actually succeed – are these tools simply keeping my logfiles clean, or am I getting any worthwhile benefit in blocking brute force attack attempts?
Update: Lots of comments about brute force guessing of passwords – I did mention that I wasn't worried about this. Perhaps I should have been more specific and asked whether fail2ban had any benefits for a server that only allows key based ssh logins.
Best Answer
Rate limiting login attempts is an easy way to prevent some of the high speed password guessing attacks. However, it's hard to limit distributed attacks and many run at a low pace over weeks or months. I personally prefer to avoid using automated response tools like fail2ban. And this is for two reasons:
Therefore I don't consider fail2ban (and similar automated response tools) a very good approach to securing a server against brute force attacks. A simple IPTables rules set to cut down on the log spam (which I have on most of my linux servers) is something like this:
It prevents more than 4 connection attempts from a single IP to ssh in any 60 second period. The rest can be handled by ensuring passwords are reasonably strong. On high security servers forcing the users to use public key authentication is another way to stop guessing.