Your network authentication should not be a fun game or series of Rube Goldberg contraptions.
Your network authentication should not be a fun game or series of Rube Goldberg contraptions.
Also by collecting data on the IP addresses that are triggering fail2ban I can identify networks and/or ASes that disproportionally host malicious traffic and block them at a global level.
It's possible that some compliance regimes exist that mandate keeping logs of all unsuccessfully authentication attempts. There's surely a compliance regime out there that mandates every possible permutation of thing.
But the far more common permutation, like we see with NIST, is that the organization has to articulate which logs it keeps, why those logs are sufficient for conducting investigations into system activity, and how it supports those investigations.
> The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period.
The IDP will have some settings for max fails before lockout, and apply it by counting.
If you’re a company trying to meet a compliance regime and you don’t already have a central IDP, that’s step zero. None of the NIST requirements say “you must have an IDP”, but a massive portion of them are trivial with an IDP and a massive pain in the ass (both to implement and evidence to auditors) without one.