[previous article hasn't appeared on gmane yet] On 2014-06-16, Eliezer Croitoru <eliezer at ngtech.co.il> wrote: > On 06/17/2014 01:46 AM, Bret Taylor wrote: >> Get rid of fail2ban, it's not needed. Just write a proper firewall. > Are you series?? > There are applications that fail2ban offers them things which others > just can't.. Indeed, fail2ban and their ilk (e.g. my new favorite, sshguard) modify iptables rules in response to excessive failed login attempts. A ''proper firewall'' with just static iptables rules can't do that. And with so many pwn3d hosts out there being used to bounce attacks off of, it is foolish to rely on static rules alone to fend off these attacks. Much better of course are static firewall rules that blocks off all but a few whitelisted hosts. But that is much less flexible for users. --keith -- kkeller at wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information