Hi, recently (ironically, right after sharing some of my posts here on Lemmy) I had a higher (than usual, not high in general) number of “attacks” to my website (I am talking about dumb bots, vulnerability scanners and similar stuff). While all of these are not really critical for my site (which is static and minimal), I decided to take some time and implement some generic measures using (mostly) Crowdsec (fail2ban alternative?) and I made a post about that to help someone who might be in a similar situation.

The whole thing is basic, in the sense that is just a way to reduce noise and filter out the simplest attacks, which is what I argue most of people hosting websites should be mostly concerned with.

You are viewing a single thread.
View all comments
6 points

I recall hearing that openssh has something like fail2ban built-in now. I forget the name of the feature.

permalink
report
reply
5 points

AFAIK I know that SSH has MaxAuthTries and LoginGraceTime, but all it does is terminating the SSH session (I.e. slow down at most), it won’t block the IP via firewall or configuration.

Not sure if there is a recent feature that does the same.

permalink
report
parent
reply
5 points

It’s this (excuse formatting): https://www.openssh.com/releasenotes.html

sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default.

sshd(8) will now identify situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit bugs in sshd).

When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client’s address. If this time is above a minimum configurable threshold, then all connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range) until the penalty expire.

Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. Address ranges may be fully exempted from penalties, e.g. to guarantee access from a set of trusted management addresses, using the new sshd_config(5) PerSourcePenaltyExemptList option.

permalink
report
parent
reply
3 points

Nice! I didn’t know this. Thanks!

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5K

    Monthly active users

  • 3.6K

    Posts

  • 81K

    Comments