SSH hacked?

Derek Broughton derek at
Wed Jan 14 18:26:26 UTC 2009

Knapp wrote:

> On Wed, Jan 14, 2009 at 4:24 PM, Derek Broughton
> <derek at>wrote:

>> Res is right about the
>> users who forget their passwords - you need to have a simple procedure
>> for unbanning their IP at the same time as you reset their password (and
>> remember, if they're using dynamic IPs, you may have already banned a
>> number
>> of different addresses by the time they ask for a password reset - what
>> do you do when a week later the user can't get in because he's been given
>> the IP that is still banned).
>  The answer to that is straight out of the Denyhosts config file. And
>  there is more but you get the idea.

Of course - I wasn't trying to suggest it's difficult, merely that if you are 
using something like fail2ban you need to be aware of how it's working, what 
it's doing and _establish_ a policy to ensure you don't get into a bind when 
idiot-end-users get locked out of the system.  

In my hypothetical case, suppose you've set up the Denyhosts to expire a ban 
after two days, and when the user contacted you you reset both his password 
and the ban for the IP address he's using right then, but the next day he's 
coming in on the address that he got banned a few hours earlier.  Probably 
telling him "you'll be able to access the system tomorrow" won't be good 
enough :-)

That said, I _would_ use fail2ban as part of an overall security strategy.

More information about the ubuntu-users mailing list