[CentOS] iptables question

Tue Jun 17 01:18:27 UTC 2014
Keith Keller <kkeller at wombat.san-francisco.ca.us>

[previous article hasn't appeared on gmane yet]

On 2014-06-16, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
> On 06/17/2014 01:46 AM, Bret Taylor wrote:
>> Get rid of fail2ban, it's not needed. Just write a proper firewall.
> Are you series??
> There are applications that fail2ban offers them things which others 
> just can't..

Indeed, fail2ban and their ilk (e.g. my new favorite, sshguard) modify
iptables rules in response to excessive failed login attempts.  A
''proper firewall'' with just static iptables rules can't do that.
And with so many pwn3d hosts out there being used to bounce attacks off
of, it is foolish to rely on static rules alone to fend off these
attacks.

Much better of course are static firewall rules that blocks off all but
a few whitelisted hosts.  But that is much less flexible for users.

--keith



-- 
kkeller at wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information