is fail2ban safe? Better to use ssh keys?

Solution 1:

I judge it as a stable product and I regard it as safe. As an extra precaution I would add your source IP address to the ignoreip directive in the jails.conf to make sure you don't block yourself.

Since it parses the ssh logs a TCP session is going to have to be established so spoofing source IPs and getting the TCP sequences numbers right to create a sort of backscatter variation seems unlikely.

Using keys on top of this as well isn't a bad idea. Other options that help are moving ssh to a nonstandard IP, using the "recent" iptables module, or just deciding you don't care if people try to brute force passwords. See this serverfault post for more on these.

Solution 2:

Every time I've ever implemented denyhosts or fail2ban in a production environment it has created a guaranteed ticket-stream of unlock requests, password reset requests, requests to change the settings or manage the whitelist, and generally just people who give up logging in to look into things and lean more on the sysadmins for stuff they could do themselves.

Its not a technical problem with either tool per-se, but if your users number in the dozens or greater its going to be a noticable uptick in support workload and frustrated users.

Also, the problem they solve is they reduce your risk of brute force ssh login attacks. Honestly, the risk of that is incredibly small as long as you have even a moderately decent password policy.