[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, 31 Aug 2011, Anthony Williams wrote:
On 31/08/11 10:54, Gordon Henderson wrote:One thing to be aware of.. fail2ban is a solution that follows the "closing the door after the horse has bolted" type of scenario. It will not catch the first (and possibly not the 2nd, 3rd, etc. depending on configuration) probe and if that first probe is the one that finds the vulnerability - zero-day exploit - then you've lost and they've gotten in. It's probably more suited to reducing attacks like password guesses on ssh, telnet, ftp, pop, imap, etc. services than random URL probes at a web server. Even then, if your passwords are secure, all it's saving you is a tiny bit of bandwidth. So don't use it as an excuse to not keep things patched and up to date. It's just one tool in an overall strategy.Agreed. I don't even have phpmyadmin on that server, but the probes indicate a cracking attempt, so fail2ban will help keep those crackers away; maybe they'll be dissuaded from trying something which /does/ have a vulnerability.
You're assuming they're clever. 99.999% of them are not. They blindly run scripts developed by someone else, or crudely change those scripts and programs - not always in a sensible manner.
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq