←back to thread

How to secure your new VPS: a step-by-step guide

(www.kkyri.com)
47 points todsacerdoti | 4 comments | 22 Oct 24 00:52 UTC | HN request time: 0.816s | source
Show context
_def ◴[22 Oct 24 02:00 UTC] No.41910445[source]
opinions on the suggested fail2ban and ufw?
replies(3): >>41910483 #>>41910485 #>>41910516 #
1. berbec ◴[22 Oct 24 02:07 UTC] No.41910485[source]
fail2ban is a critical piece of security software, as is some firewall. for those new to linux, you might as well use the one that is super-easy to install.
replies(1): >>41910494 #
2. tptacek ◴[22 Oct 24 02:09 UTC] No.41910494[source]
The opposite is true about fail2ban: it's cargo-cult security, and people shouldn't be running it. It never made any sense, but it especially makes no sense if you're going to (sensibly) disable password authentication.
replies(1): >>41911141 #
3. trog ◴[22 Oct 24 04:17 UTC] No.41911141[source]
I agree for ssh - but I use it on a couple servers that have WordPress for the sole purpose of blocking IPs that engage in brute force attempts.

It has a real and dramatic impact on a few things - I got CPU warnings from one server a couple weeks back because I'd inadvertently broken logging and fail2ban stopped working and someone was doing a persistent brute force at high volume for 8 hours.

After I fixed fail2ban it dropped off immediately. I know some WordPress plugins will do this but I've not had much success with them compared to fail2ban so it's still my default for this purpose.

Are there better system-level approaches than fail2ban in this case? Or is your comment mostly directed towards those using it for ssh blocking?

replies(1): >>41911241 #
4. tptacek ◴[22 Oct 24 04:37 UTC] No.41911241{3}[source]
Just SSH.