However, nethserver’s UI (cockpit and server-manager) don’t accept FQDN. Is it wanted ?
That could really be useful to whitelist a dyndns address.
Also I’d like to know if Fail2ban takes the Trusted networks into account ? This can be useful for whitelisting the openvpn tunnelled traffic coming from a remote site.
I’m back on that subject. My customer is really annoyed that it’s whole team (read : an IP shared by a cy) gets regularly blocked because of one guy forgetting it’s password or misconfiguring a client app that starts frantically trying to log over and over with a wrong password and gets the public IP kicked off because of recidive.
In my view the chance that one could exploit a dns poisoning weakness (read : OVH’s DNS server in my case !) or whatever to try to circumvent fail2ban and further breaking passwords by using bruteforce is really mitigated by the fact that such an attacker would have to know the right (dynamic) IP, and then have enough time to break in.
At least in my case I’m ready to take the risk in favour of the end user experience. People writing their password on a post-it are much more dangerous !
Another case that will inevitably trigger fail2ban is when a user legitimately wants (or have to) change its password : As soon as he changes his password using the GUI, all it’s client apps using caldav, IMAP, SMTP, Nextcloud sync client, or whatever protocol monitored by fail2ban will fail multiple times and will eventually block access before the user realise that he has to change the password everywhere. This is a real world observation !
So in my view, while whitelisting a CIDR could obviously be a bad idea, allowing a FQDN might actually improve the security by not discouraging users to change their password.
What about allowing FQDN’s provided the admin is warned that it could be a security issue and that (s)he has to know what he is doing ?
So you will make a custom template of a file that I could possibly modify one day…keep it in mind. I have chosen a file that even if I modify it, you should have not much troubles
That said, I wonder if I’m the only to setup a dedicated server outside an organisation’s premises with all the fail2ban nightmares that such a setup implies.
That said I imagined another way to achieve this : since there is an OpenVPN tunnel between the servers and the customer’s premises, I should have defined local DNS entries to point to local adresses to get the traffic directed through the VPN tunnel instead of the internet way.