[sslh] fail2ban

[Yves Rutschle]

On Fri, Oct 04, 2013 at 05:32:23PM +0200, Davide Perini wrote:
> Really, really thanks for the help and the answer.
> Do you think that this will is an unsecure way to proceed?
> Is it more secure without --transparent ???

Supposing there is a vulnerability in sslh (which is a
reasonnable assumption):

sslh (as non-root) with --transparent requires
cap_net_admin, which lets sslh stop or otherwise
misconfigure the network interfaces. Arguably it's a bad
idea for an attacker to stop the network interface from
which you're attacking. To draw a parallel, that'd be like
the attack you perform on a bank is glueing its doors shut.
Sure, the bank no longer operates, but at least it's fallen
into a secure mode.

sslh (as non-root) without --transparent can't do much, but
maybe access all local servers appearing as localhost.
Presumably if there is a vulnerability this applies to sslh
with --transparent as well.

sslh as root: just don't.

So, by using --transparent you open an additional potential
risk of denial-of-service on your system, but you gain all
of fail2ban's protection. I am not sure what's best, but I'd
tend to believe having fail2ban will be more secure in the
end, especially considering that sslh is transparent to the
attacker: it takes the attacker knowing a vulnerability on
sslh _and_ taking the time to try and see if there's sslh en
route to httpd/sshd.

Y.