|
fail2ban has one core maintainer https://github.com/fail2ban/fail2ban and he has only 3 Github sponsors https://github.com/sebres WTF I can't even comprehend how many servers are protected by fail2ban, how many compromises are avoided, how many people who run hobby things all the way up to major sites that get to sleep soundly every night... because of this single project. 35 comments
   @dee here is the direct link to the sponsor page, in case somebody want to sponsor him: https://github.com/sponsors/sebres   Sometimes it's not always about the funds or $$. Have met a lot of developers who enjoy the freedom and the recognition without the money. Freedom = You feel obligated to sponsors so most want to avoid that 'shackle' and do things the way they like.
@dee Well the good news for the maintainer is they can retire comfortably at any time by selling the project to an APT /s @dee This presents a #security risk to any organisation that depends on #failtoban but is not supporting it. Has anybody successfully championed for their org to make recurring donations to the open source software projects they rely on? How did you do it? Any challenges you confronted?  @ThomasCraig @dee I tried to get my company to support #freecad. But I was able only to get a one time small hundred dollar donation. It had to be done by me and reimbursed because the company (#shure) did not want it to look like an endorsement for some odd reason. It was also hard to donate because only individuals were accepting donations at the time. Maybe there is an organization now? But it was a lot of work and nobody really seemed to care: Hit the schedule. Buy expensive Microsoft stuff.   @dee should I complain about this problem being immanent to the system that privatises profits and socialises losses? Unfortunately, I strongly believe this is not the only project that looks like this. Companies only use open source and hardly support it. But when there's a vuln, the outcry to the maintainer is big.   @dee I've been in a position where I could ask for my higher ups some funds to put into open source projects to which the company depended on. Guess how often the bosses saw the light. They rather spent the money on something that's more "clear" to them what you get for the money, like licenses on stuff we really don't need.  @dee oh wow GOOD catch you remember that whole thing we wrote after the xz incident, about how isolated maintainers need support from the community as a defense against abuse? https://cohost.org/ireneista/post/5349137-xz-and-community @ireneista @dee this is really good (and reflects my own views). thanks! (I'm lucky to be part of a supportive community now, but I'm still worried about being the sole maintainer of several projects essential for Android Reproducible Builds) @dee https://occasionallycogent.com/problem_with_foss/index.html#fnr.1 remains as relevant as ever   @dee it could be worse. It could be ntp source still running on the desktop in the single developers basement instead of in a GitHub repo thanks to Susan Sons.  @dee @indigoparadox While I definitely do agree with the "support your Free Software dev" message, I'm somewhat skeptical of the security aspect implied.
With botnets being as popular as they are, fail2ban always struck me more as a mitigation measure for unnecessary system load, rather than a security measure.  @dee Thinking about this, and like - whose job is it, precisely, to ensure this kind of thing doesn't happen? That core infra like this has more support? Do we expect the government to do it? Corporations? Or if neither of them, (Not keen on either, personally), then who? Is someone going to go "This is my job, I will systematically review all open source projects and make note of the ones that need more support"? @dee Personally, I wouldn't mind taking a step back and funding an organization whose job it is to find problems like this and assemble solutions for them - find people to review all the core infra software and make sure it's supported, or assemble resources for the programmers of such, or a million other things. That's no small ask though - even just deciding what, exactly, falls within that area is quite a task. :/ @dee I've been thinking about doing something like that for my game, once I get it going - aiming to have, not just modders and map makers and streamers and the like, but a whole ecosystem of people to provide support for them as well. No an easy thing to do though, so we'll see if I can manage it. XD  (It’s a joke: it should have been the XKCD comic, but this is also a picture that is often posted without comment in a reply.) |
Gregory's Server
@dee
Fail2Ban:
ban hosts that cause multiple authentication errors
Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.
It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time.
Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache,
and is easily configured to read any log file of your choosing, for any error you wish.
Though Fail2Ban is able to reduce the rate of incorrect authentication attempts,
it cannot eliminate the risk presented by weak authentication.
Set up services to use only two factor, or public/private authentication mechanisms if you really want to protect services.
@dee
Fail2Ban:
ban hosts that cause multiple authentication errors
Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.
It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time.