On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh wrote:

Greg Freemyer wrote:

...

Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.

--- I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you.

Correct, but it hadn't change in 3 years I assume. That's when I setup the server. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/07/2016 06:59 PM, Greg Freemyer wrote:

On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh wrote:

...

Greg Freemyer wrote:

...

Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.

--- I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you.

Correct, but it hadn't change in 3 years I assume. That's when I setup the server.

But that leaves me wondering... Server in the cloud Variable IP How do you find it? How do the users of such a cloud find it? Does cloud service supply some kind of dns service? Can't you add a FQDN to fail2ban instead of an IP? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang wrote:

On 11/08/2016 09:43 AM, John Andersen wrote:

...

On 11/07/2016 06:59 PM, Greg Freemyer wrote:

...

On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh wrote:

...

Greg Freemyer wrote:

...

Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.

--- I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you.

Correct, but it hadn't change in 3 years I assume. That's when I setup the server.

But that leaves me wondering... Server in the cloud Variable IP How do you find it? How do the users of such a cloud find it? Does cloud service supply some kind of dns service?

Can't you add a FQDN to fail2ban instead of an IP?

I'm confused. I assumed that OP's home IP changed. Your cloudy server changing IP is a completely different issue, right?

Lew is right. The cloud based server is a VM I rent. It has a static IP that has never changed. In the fail2ban config on that server I have: ignoreip = 1.2.3.4 where that would be my home IP. That means no matter how often I fat finger the password when working at my house and trying to connect to the server via SSH it doesn't lock me out. Several days ago, I got locked out. I logged into the server via a "console" login provided by the VM provider. It is basically only used for emergency access to the server when it won't boot, etc. Using the emergency login feature, I changed the ignoreip IP to my new home IP and I can now ssh in again.

But using a FQDN for access would open up possible security and DOS issues, wouldn't it?

I have no firewall holes in my home router. All socket initiation is outbound.

Regards, Lew

Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/08/2016 10:28 AM, Greg Freemyer wrote:

...

But using a FQDN for access would open up possible security and DOS

...

issues, wouldn't it? I have no firewall holes in my home router. All socket initiation is outbound.

Hi Greg, I was thinking with regard to the cloud server. Using DNS for access control is risky on a number of different fronts. BTW, I disable username/password on my remote ssh servers and use only my pre-placed public key. Regards, Lew -- "When a government enforces lawlessness it is no longer a government of the people. It is a tyranny." -- P Gendron -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tue, Nov 8, 2016 at 1:39 PM, John Andersen wrote:

On 11/08/2016 10:37 AM, Lew Wolfgang wrote:

...

BTW, I disable username/password on my remote ssh servers and use only my pre-placed public key.

Me too..

And even then I move ssh off of port 22 just to keep the logs clean of script kiddie attempts.

I should do both of those as well, but fail2ban keeps the logs pretty clean. But I don't really keep anything secret on that server. It's mostly for my company website that gets dozens of hits a day! Anything of value there is inside an encrypted ZIP file. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2016-11-08 19:28, Greg Freemyer wrote:

On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang wrote:

...

On 11/08/2016 09:43 AM, John Andersen wrote:

...

...

Can't you add a FQDN to fail2ban instead of an IP?

...

In the fail2ban config on that server I have:

ignoreip = 1.2.3.4 where that would be my home IP.

The doubt is whether you could place there the DNS name of your home IP, not the IP itself. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2016-11-12 13:30, Rodney Baker wrote:

On Wednesday, 9 November 2016 3:51:58 AM ACDT Carlos E. R. wrote:

...

On 2016-11-08 19:28, Greg Freemyer wrote:

...

On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang wrote:

...

On 11/08/2016 09:43 AM, John Andersen wrote:

...

Can't you add a FQDN to fail2ban instead of an IP?

...

...

In the fail2ban config on that server I have:

ignoreip = 1.2.3.4 where that would be my home IP.

The doubt is whether you could place there the DNS name of your home IP, not the IP itself.

I was thinking the same thing. If you use a dynamic DNS service for your home IP then you could use the FQDN of your home connection in the fail2ban config, if that is supported.

I do see an issue with that, though - every connection attempt would trigger a reverse DNS lookup to get the hostname associated with the source IP address, which would consume a lot of resources, both on the host running fail2ban and lots of unnecessary DNS requests (especially in the case of a botnet attack from lots of spoofed IP addresses).

Ah. Ok. Two solutions. One is running a local DNS cache, like dnsmasq. It is possible that fail2ban doesn't accept names for that very reason. Then the trick is to edit that file with a cronjob that finds the current IP address of the home machine and updates the config if it changed. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)