Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Fail2Ban not installed, big security issue!
See original GitHub issueHi
I just wanted to add that when SSH is publicly accessible, especially when the bitcoin and lightning node is exposed. SSH access should be properly protected.
by simply running:
sudo apt-get install fail2ban
A service that IP ban computers for 10 minutes that attempt too many failed login attempts is automatically set up.
After setting this up myself my log showed:
tail -f /var/log/fail2ban.log
2018-08-08 09:05:13,556 fail2ban.filter [31984]: INFO [sshd] Found 121.18.238.123 - 2018-08-08 09:05:13
2018-08-08 09:05:16,261 fail2ban.filter [31984]: INFO [sshd] Found 121.18.238.123 - 2018-08-08 09:05:15
2018-08-08 09:05:26,252 fail2ban.filter [31984]: INFO [sshd] Found 121.18.238.123 - 2018-08-08 09:05:25
2018-08-08 09:05:28,957 fail2ban.filter [31984]: INFO [sshd] Found 121.18.238.123 - 2018-08-08 09:05:28
2018-08-08 09:05:39,332 fail2ban.filter [31984]: INFO [sshd] Found 121.18.238.123 - 2018-08-08 09:05:31
2018-08-08 09:05:39,826 fail2ban.actions [31984]: NOTICE [sshd] Ban 121.18.238.123
As you can see an Chinese IP address has been attempting to log in every couple of seconds for god knows how long. As soon as I installed Fail2Ban this IP was banned from access.
Issue Analytics
- State:
- Created 5 years ago
- Comments:12 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Fixed with https://mastodon.social/@BTCPayServer/100541625451629987
If your server is protected by a secure passphrase (or, even better, has password access disabled and logins only using a private key), fail2ban and similar tools don’t add any security. However, the cryptographic setup for an SSH session (which happens before a passphrase is provided) is computationally expensive for both sides of the connection, so I’ve seen low-power computers (e.g. RPi version 1) CPUs overwhelmed by just by attempted passphrase brute forcing.
Fail2ban is a good and easy solution to this, although you do want to keep the ban time small in my experience—I’ve locked myself out of several systems before by, e.g., entering the wrong password several times in a row by accident. Another solution is requiring logins in sshd_config only using private keys (obviously after setting that up first), as I believe that will reject passphrase attempts before the expensive cryptographic setup starts.