I am setting up an Ubuntu server hosted by Linode.
I am stepping through their security guide and they recommend installing fail2ban after disabling password based SSH logins.
I don't see the point in installing fail2ban if dictionary attacks are not possible with SSH keys.
Am I missing something here?
Botnet will mark you as unreachable for a while (and starts attack again in few hours/days). So it will lower traffic on your link, but not so much anyway :) That's my experience, but I am not using
fail2ban
, but simpleiptables
ruleThe only possible benefit is that you know the "attacking" IP is a "bad guy" or compromised machine, and probably don't want to talk to them anyway. It's likely they'll try other protocols. If you have none open, nothing to worry about.
It might reduce bandwidth slightly. It would definitely reduce the spam in your logs (I change my SSH port to 2222 for this reason; but don't recommend that tactic unless you have a small group of admins accessing the box).
It's technically possible that they could guess a SSH Key, but wholly unrealistic to think it will ever happen. I would recommend changing your SSH Keys every few years (to ensure you're using "current" technology, and to verify documentation surrounding the system).
Fail2ban is not just for ssh brute-force attacks. If you have Apache, Postfix, Dovecot or other services supported by Fail2ban then you can protect those services.
You can even create your own filters and rules that match your specific need, for example a Java webapp that logs to file the failed login attemps can ban the ip every 10 retry in the last 5 minutes and ban it for an hour.
So yes there are various reasons to use fail2ban even if ssh is disabled.