SSH hacked?

Derek Broughton derek at
Wed Jan 14 15:24:16 UTC 2009

Res wrote:

> On Wed, 14 Jan 2009, Anthony M. Rasat wrote:
>> My god, so much effort to protect ourselves from SSH Brute Force attack.
>> Why not using fail2ban (
>> I've been using it for more than a couple of years, it works flawlessly
>> for my servers.
> This assumes the bad person only uses the same IP, it's better than
> nothing, but hardly a real security measure, not to mention all the idiot
> users you have that screw up their own passwords, generating more work for
> you.

For once I agree with Res.  _hackers_ don't always use the same IP - that's 
for the script kiddies.  fail2ban is useful - it keeps out specific compromised 
systems that are being used to attack you, but the hackers are finding new 
ones faster than you're banning them.  And again, Res is right about the 
users who forget their passwords - you need to have a simple procedure for 
unbanning their IP at the same time as you reset their password (and 
remember, if they're using dynamic IPs, you may have already banned a number 
of different addresses by the time they ask for a password reset - what do 
you do when a week later the user can't get in because he's been given the 
IP that is still banned).

More information about the ubuntu-users mailing list