Re: [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
On 16/09/2017 23:25, Stroller wrote: > >> On 16 Sep 2017, at 20:31, Alan McKinnonwrote: >> >> As far as I'm aware (and could be wrong), sshguard is mostly just sshd >> whereas fail2ban works on anything you can give it consistent logs for. > > I thought otherwise, but you appear to be right - SSHGuard appears to have > only a handful of "signatures", so it looks like Fail2Ban it is. > > https://www.sshguard.net/docs/reference/attack-signatures/ I reckon too, you did say folding in IMAP would also be cool. As a sidenote, I've just finished rolling out fail2ban here at work. It's a mobile provider and ISP with millions and millions of hones out there, and the owners has some very odd ideas on how mail works. Especially just how much mail coming from their individual phones I'm willing to relay (answer: not very much at all :-) ) Anyway, fail2ban went on the mail relays with strict rules as to number of connections etc etc. The amount of tweaking I had to make was minimal - just change some numbers. All the rules I needed were already there baked in, I just had to enable them and set the numbers. It even knew these are FreeBSD relays so the packet filter is pf. It's such a pleasure to use a product built with real engineering in mind and does it right. fail2ban ticks that box for me. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
> On 16 Sep 2017, at 20:31, Alan McKinnonwrote: > > As far as I'm aware (and could be wrong), sshguard is mostly just sshd > whereas fail2ban works on anything you can give it consistent logs for. I thought otherwise, but you appear to be right - SSHGuard appears to have only a handful of "signatures", so it looks like Fail2Ban it is. https://www.sshguard.net/docs/reference/attack-signatures/ Stroller.
Re: [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
On 16/09/2017 16:06, Stroller wrote: > Is anyone familiar enough with this subject to make a comparison between > these two programs, please? > > If I google Fail2Ban vs SSHGuard I get many hits saying "I use this one", but > no-one saying why one might be better than the other. > > So far I'm favouring SSHGuard, but mostly because the website looks prettier. > > I want to be able to use passwords, so allowing logons only by public-key is > no good (also would be nice to block failed IMAP connection attempts). > > Thanks in advance for any thoughts. > > Stroller. > Depends what you want, they both achieve the same end. fail2ban reads all manner of log files and such, decides based on rules if someone is being naughty, and then takes actually (most often listing the source address in a packet filter drop rule). As far as I'm aware (and could be wrong), sshguard is mostly just sshd whereas fail2ban works on anything you can give it consistent logs for. There's not much to choose between them really. So go for the one that seems to fit your needs best, if you scan the man pages and sample rules files and one jumps out as a clear winner than you understand easily, then that is the one you use. The question is almost never "does this things do what I want?" as the answer is so often yes. The question is always "d I understand this thing as can drive it easily?" -- Alan McKinnon alan.mckin...@gmail.com
[gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
Is anyone familiar enough with this subject to make a comparison between these two programs, please? If I google Fail2Ban vs SSHGuard I get many hits saying "I use this one", but no-one saying why one might be better than the other. So far I'm favouring SSHGuard, but mostly because the website looks prettier. I want to be able to use passwords, so allowing logons only by public-key is no good (also would be nice to block failed IMAP connection attempts). Thanks in advance for any thoughts. Stroller.