Steffen Dettmer
2024-06-28 15:30:01 UTC
Hi,
I encountered multiple times that debian based containers use fail2ban by
default with a max attempt value of 5, even for SSH logins using strong
asymmetric keys.
(Again I just got locked out for 1h (fortunately a container, so I can
access anyway). Do you know what happened? My SSH key agent asked whether
to allow the key signing request, I accidentally said No, skipped the
password queries by pressing enter and tried again and it timed out
(according to my count that were 4 failures, but fail2ban banned my IP and
config file said it would ban after 5). Maybe I should be glad that the
default action is just 1hr ban, and not to secure-erase rootfs and brick
the main board (*).)
I would like to understand how it was possible to get such default values.
They are good to help to implement denial of service attacks, but not
suited for production. Does anybody really think it is of any help to limit
strong pub key authentication after 5 tries? Ohh, and my connection is from
the LAN. I don't know if this is a debian default.
Any hints (links) why this is included at all and where the defaults come
from appreciated!
Steffen
(*) I know I should be careful with such jokes, as someone might like and
implement it. Activated by default, of course.
I encountered multiple times that debian based containers use fail2ban by
default with a max attempt value of 5, even for SSH logins using strong
asymmetric keys.
(Again I just got locked out for 1h (fortunately a container, so I can
access anyway). Do you know what happened? My SSH key agent asked whether
to allow the key signing request, I accidentally said No, skipped the
password queries by pressing enter and tried again and it timed out
(according to my count that were 4 failures, but fail2ban banned my IP and
config file said it would ban after 5). Maybe I should be glad that the
default action is just 1hr ban, and not to secure-erase rootfs and brick
the main board (*).)
I would like to understand how it was possible to get such default values.
They are good to help to implement denial of service attacks, but not
suited for production. Does anybody really think it is of any help to limit
strong pub key authentication after 5 tries? Ohh, and my connection is from
the LAN. I don't know if this is a debian default.
Any hints (links) why this is included at all and where the defaults come
from appreciated!
Steffen
(*) I know I should be careful with such jokes, as someone might like and
implement it. Activated by default, of course.