2

I have seen a lot of posts showing how to install fail2ban along with firewalld and wanted to know if fail2ban is really required for my set up.

My set up is as follows

  • Cent OS 8 in a VPS
  • Public facing IP
  • Firewalld active and blocking everything except the below
  • Port 80/443 open to the world
  • Port 22 only open to 3 ip addresses
  • No remote root ssh allowed
  • No password ssh allowed - only ssh-key logins allowed

With this setup do I even need fail2ban and if so what purpose does it solve. I found a thread which claims things about CPU costs if not using fail2ban Does fail2ban offer any additional protection to SSH if password login is already turned off?

Is this true for my setup ? I can appreciate that fail2ban can be used for other log monitoring and alerting, but for ssh only will it be a waste

Improve this question

2 Answers 2

Reset to default
0

fail2ban's logic is pretty simple: If a certain number of failed ssh login attempts are made from the same IP, that IP is temporarily blocked.

Since you exposed port 22 only to 3 IP addresses, you're already blocking intruders from accessing SSH. Your other precautions (no root, no passwords) are also very good. Based on those existing precautions, I wouldn't worry about fail2ban.

Some people may say that fail2ban is useful for more than ssh, but with only port 80/443 exposed, I struggle to think of a case.

Finnally, you already linked to an answer which offers two other benefits:

  1. Keeping auth log from filling up
  2. Reduces unnecessary CPU cycles dealing with bruteforce attempts.

I don't think either of these are benefits to you. Since you are limiting port 22 to three IP addresses, you won't be getting attempts from random IP addresses. The only way fail2ban would do anything is if one of those three IP addresses started bruteforcing you-specifically. Any bruteforcing is unlikely to be successful because you already disabled root and disabled passwords. Therefore that specific IP address would be banned and I assume that's a bigger problem for you since it's on your shortlist and is probably necessary to your operations.

Improve this answer
2
  • 1
    Depending on what is legit usage on port 80/443, you can ban rapid POSTs, which are almost always bots trying to brute-force login forms. Even if hammering a non-existing wp-admin isn't much of a risk, it will create noise that is annoying for any access statistics you might do. Commented Aug 14, 2020 at 6:17
  • Since 80 and 443 are for web servers, there's actually a lot fail2ban can do depending on the webapp that's hosted. I think this answer is misleading by suggesting it's just an SSH protection. It's really much more. Commented Aug 14, 2020 at 23:33
0

Fail2ban is never "required" it is however useful.

If SSH can only be accessed via a handful of IPS and you generally trust those with access to this IPS then fail2ban is less useful for protecting SSH. Indeed it can be a pain if someone has problems logging in and they suddenly get the whole office blocked.

But fail2ban is much more than an SSH protection. It's config is pretty complex but it can be configured to watch any log. This means that your web applications (on port 80 and 443) can be monitored too. Some well know. Web apps (such as wordpress) draw a lot of unwanted hacking attempts from bots. Fail2ban is also a good mechanism for banning these.

So in your case I suspect fail2ban won't be much use for protecting SSH, but do consider what protection you will put on your web apps.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.