5

How does fail2ban protect against SSH DDoS attacks? What does it do in the case of a DDoS attack? And how does it determine if it is a DDoS?

I am asking only about DDoS attacks.

(I assume it really can protect against DDoS because articles like How to Secure SSH server from Brute-Force and DDOS with Fail2ban (Ubuntu).)

porton
  • 2,136
  • 2
  • 21
  • 28
  • 1
    Fail2ban works by analysing log files for repeated logon attempts. If is sees a specified number of messages in a specified period of time, it uses the firewall to block that source ip address. – Raman Sailopal May 24 '18 at 14:57
  • And the firewall/iptables use less resources than ssh/nginx/apache when denying access. – pLumo May 24 '18 at 15:03

1 Answers1

5

It's hard to "protect" against DDoS attacks, but one can mitigate them by avoiding useless costly computation.

fail2ban can limit the number of attempts that each participant in the DDoS attack can do. Once blacklisted, attempts will be blocked before starting any costly cryptography. Instead of letting your SSH server perform useless computations, the firewall will apply simple rules to reject clients. Clients will still use your network bandwidth, and a bit of CPU time, but far less than the SSH server would.

Matthieu Moy
  • 284
  • 1
  • 2
  • 9