-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
[general inquiry] fail2ban
- Thread starter cpyarger
- Start date
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Because fail2ban sucks bigtime. If you're going to use something like that, at least install something decent like sshguard.
But really, your NAS isn't supposed to be exposed to the Internet, which is the primary use case for this class of tool. It isn't clear how you'd ever design this correctly because there is no obviously correct threat model on a private network. An admin fat-fingers a password a few times and gets the IP blocked? Do you just block SSH? The entire IP? For an infrastructure machine, both are hazardous and problematic.
Additionally, iXsystems does not set up ipfw rulesets, which would be needed for this sort of thing, and which would impact performance somewhat.
But really, your NAS isn't supposed to be exposed to the Internet, which is the primary use case for this class of tool. It isn't clear how you'd ever design this correctly because there is no obviously correct threat model on a private network. An admin fat-fingers a password a few times and gets the IP blocked? Do you just block SSH? The entire IP? For an infrastructure machine, both are hazardous and problematic.
Additionally, iXsystems does not set up ipfw rulesets, which would be needed for this sort of thing, and which would impact performance somewhat.
truecharts
Guru
- Joined
- Aug 19, 2021
- Messages
- 788
A side note on this:
It is possible to run fail2ban processing the logs from your containerised Apps. But indeed: This is VERY tricky to get right, there is no "magic pill", so it's not something that iX can easily implement.
It is on our mind though, to at least add it as an App :)
