Is it worth the effort to block failed login attempts

Is it worthwhile running fail2ban, sshdfilter or similar tools, which blacklist IP addresses which attempt and fail to login?

I've seen it argued that this is security theatre on a "properly secured" server. However, I feel that it probably makes script kiddies move on to the next server in their list.

Let's say that my server is "properly secured" and I am not worried that a brute force attack will actually succeed - are these tools simply keeping my logfiles clean, or am I getting any worthwhile benefit in blocking brute force attack attempts?

Update: Lots of comments about brute force guessing of passwords - I did mention that I wasn't worried about this. Perhaps I should have been more specific and asked whether fail2ban had any benefits for a server that only allows key based ssh logins.


Solution 1:

Rate limiting login attempts is an easy way to prevent some of the high speed password guessing attacks. However, it's hard to limit distributed attacks and many run at a low pace over weeks or months. I personally prefer to avoid using automated response tools like fail2ban. And this is for two reasons:

  1. Legitimate users sometimes forget their passwords. I don't want to ban legitimate users from my server, forcing me to manually enable their accounts again (or worse, try to figure out which of the 100/1000 banned IP addresses is theirs).
  2. An IP address is not a good identifier for a user. If you have multiple users behind a single IP (for example, a school that runs NAT on 500 student machines) a single user making a few bad guesses can land you in a world of pain. At the same time the majority of the password guessing attempts I see are distributed.

Therefore I don't consider fail2ban (and similar automated response tools) a very good approach to securing a server against brute force attacks. A simple IPTables rules set to cut down on the log spam (which I have on most of my linux servers) is something like this:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

It prevents more than 4 connection attempts from a single IP to ssh in any 60 second period. The rest can be handled by ensuring passwords are reasonably strong. On high security servers forcing the users to use public key authentication is another way to stop guessing.

Solution 2:

Tools like fail2ban help to reduce unnecessary network traffic and to keep logfiles a bit smaller and cleaner. It's not a big security heal-all, but makes sysadmin life a bit easier; that's why i reccomend using fail2ban on systems where you can afford it.

Solution 3:

Its not just about cutting down on noise - most ssh attacks try to brute-force guesses at passwords. So while you'll see lots of failed ssh attempts, maybe by the time it gets the 2034th attempt they might get a valid username/password.

The nice thing about fail2ban compared with other approaches is that it has minimal effect on valid connections attempts.

Solution 4:

Well, it saves your network from denial attacks somewhat, and saves on the overhead of processing the failures.

Not being the weakest server on a script kiddies list is always a good thing.