|
|
|
|
|
|
by nixos
3530 days ago
|
|
|
>This assertion confuses me. I suspect that you're confusing fail2ban and port-knocking (or using fail2ban as a port-knocker). The point of fail2ban is to prevent an attacker from brute-forcing your server. In a key-only config, the chances of getting brute forced is smaller (by a few orders of magnitude) than getting hit by an asteroid and having the server get hit by an asteroid, so fail2ban doesn't really help. _In theory_, the same would be true for port-knocking. However, in practice, sshd can have security holes which a malicious scanner could exploit. And while port-knocking doesn't help against a determined attacker (it's subject to MITM, replay-attacks), it does help with defense-in-depth. |
|
|