[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 31/08/11 10:54, Gordon Henderson wrote:
One thing to be aware of.. fail2ban is a solution that follows the "closing the door after the horse has bolted" type of scenario. It will not catch the first (and possibly not the 2nd, 3rd, etc. depending on configuration) probe and if that first probe is the one that finds the vulnerability - zero-day exploit - then you've lost and they've gotten in. It's probably more suited to reducing attacks like password guesses on ssh, telnet, ftp, pop, imap, etc. services than random URL probes at a web server. Even then, if your passwords are secure, all it's saving you is a tiny bit of bandwidth. So don't use it as an excuse to not keep things patched and up to date. It's just one tool in an overall strategy.
Agreed. I don't even have phpmyadmin on that server, but the probes indicate a cracking attempt, so fail2ban will help keep those crackers away; maybe they'll be dissuaded from trying something which /does/ have a vulnerability.
Anthony -- Author of C++ Concurrency in Action http://www.stdthread.co.uk/book/ just::thread C++0x thread library http://www.stdthread.co.uk Just Software Solutions Ltd http://www.justsoftwaresolutions.co.uk 15 Carrallack Mews, St Just, Cornwall, TR19 7UL, UK. Company No. 5478976 -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq