Fail2Ban Unnecessary?

General discussions around KeyHelp.
Post Reply
latifolia
Posts: 46
Joined: Wed 18. Aug 2021, 09:08

Fail2Ban Unnecessary?

Post by latifolia »

Hello,

Sorry if I asked something that has been asked before but I only understand english.

So, I set up new KeyHelp server (latest version), and also do these things :

- Change SSH port to non-standard
- Use pubkeys to login SSH (disable paaswd, disable root login, enable only specific IPs for SSH login)
- Disable Keyhelp virusscan

Do I still need Fail2ban or can I disable it? My new VPS has only 2 vcpu and 1 GB memory, so I need to save as much resources as I can.

Thank you!
User avatar
Daniel
Keyweb AG
Posts: 124
Joined: Mon 25. Jan 2016, 04:42

Re: Fail2Ban Unnecessary?

Post by Daniel »

Hello,

basically you can run any public server without fail2ban. So you might also decide yourself if you like to disable it or not.
But just be aware: You need to rely on strong passwords for mailaccounts or other login jails.

You should also set some additional settings at

Code: Select all

/etc/ssh/sshd_config

Code: Select all

PermitRootLogin without-password
MaxAuthTries 2
Same activate 2FA in Keyhelp for Administrative and Domainusers.
Mit freundlichen Grüßen / Best regards
Daniel Marckardt

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
https://www.keyweb.de - https://www.keyhelp.de
**************************************************************
latifolia
Posts: 46
Joined: Wed 18. Aug 2021, 09:08

Re: Fail2Ban Unnecessary?

Post by latifolia »

Thanks for replying!

btw, this SSH config will not get replaced by automatic updates, or will they?

Code: Select all

/etc/ssh/sshd_config
I have made lots of changes in that file.
User avatar
Alexander
Keyweb AG
Posts: 3923
Joined: Wed 20. Jan 2016, 02:23

Re: Fail2Ban Unnecessary?

Post by Alexander »

No, it will not be touched.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
BasHeijermans
KeyHelp Translator
Posts: 166
Joined: Mon 20. Jun 2022, 12:01
Location: Heppen Belgium
Contact:

Re: Fail2Ban Unnecessary?

Post by BasHeijermans »

To make SSH more secure you can block all IP's except the ones listed in:

nano /etc/hosts.allow

Just insert this, then all IP's for SSH are blocked:

Code: Select all

#IPv4.
sshd : x.x.x.x : allow
#IPv6 just a sample, but you probably need a range for IPv6 that match your private range.
sshd : [x:x:x:x::]/48 : allow
# Others deny
sshd : ALL : deny
When done this, nobody can touch SSH, not even localhost if not listed for allow.
Be carefull using this :lol:
Greetings Bas.

Ik heb KeyHelp naar het Nederlands vertaald, contacteer me als er translatie fouten zijn.
(I have translated KeyHelp into Dutch, contact me if there are translation errors.)
Next version 24 of KeyHelp 100% translated.
Post Reply