Server Security Questions: 2FA and Fail2ban

Dear Colleagues,

I would like to understand more about the security mechanism of my Seafile behind Nginx.

  • I have setup three users.
  • All users have crazy long passwords (16+ random chars) and have 2FA activated.
  • I don’t have fail2ban in use and I’m trying to find out if I need it.
  • I have a login_attempt_limit of 5 (until Captcha)
  • I have Freeze_User_On_Login_Failed disabled yet.

So in my theorie if someone tries to hack my server he would try need my Username.
Okay lets say he has my username/email, then he tries to bruteforce my password (okay at this point I would like to stop and bring in some questions:

  1. as my current setup doesn’t Freeze Accounts on login fail count the attack could go until 5 then a captcha is requested what should prevent bots from keeping this game running .
  2. if i would enable Freeze on login fail anybody knowing my URL and Username could login 5 times wrong and lock me out.
  3. so I could login with bill.gates@microsoft.com a certain amount of times wrong and would disable billies account? I dont think so… why would I freeze users if logon fails a few times?

Nevermind if the attacker gets my password and username and logs in. He will be promted for the 2FA key of my authenticator. Despite the fact that I’m realy sure that there are some false statements in my theory, from my point of view, strong passwords and 2FA seam to be good enough…

For ease of discussion lets put all the SSL NGINX attack scenarious back for now.

Very excited to get feedback on this.
Thanks in advance

Michael

Just a thought here, I like to use Fail2ban on my servers because it covers a lot of things at once.

Your concerned about someone accessing your Seafile install, but there are other threats too that could compromise your Seafile install and more.

For example, what if someone manages to gain access to your server by attacking with brute force your SSH server? If your attacker gets in your system as a sudoer account, it could give your attacker full access to your system and its underlying services (access to your database, for example).

Thanks for your input. I don’t want to avoid fail2ban and this type of information is exactly what I wanted to discuss, yet and wabt to argue a bit more, therefore: how would someone brute force SSH when he can only reach the server via port 80 or 443?

I believe that fail2ban can improve security but I’m not fully satisfied with my overall understanding right now.

Thanks alot

2FA makes your account practically impenetrable. If you’re concerned about someone gaining access to your server by hacking the authentication system or any other services running on that instance, make the server only accessible through a VPN or something like that. In practice, 2FA and a relatively strong password is all you need.

Having a look at the information you provided there is no need for fail2ban. Only advantage it could add is save of resources because an attacker would be blocked on a very low level.