Merge pull request #602 from grooverdan/doco-risks-and-limitations

DOC: Doco risks and limitations

README.md

@@ -11,6 +11,11 @@ password failures. It updates firewall rules to reject the IP address. These
 rules can be defined by the user. Fail2Ban can read multiple log files such as
 sshd or Apache web server ones.
 
+Fail2Ban is able to reduce the rate of incorrect authentications attempts
+however it cannot eliminate the risk that weak authentication presents.
+Configure services to use only two factor or public/private authentication
+mechanisms if you really want to protect services.
+
 This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
 are available in fail2ban(1) manpage and on the website http://www.fail2ban.org
 

config/filter.d/sshd.conf

@@ -1,5 +1,8 @@
 # Fail2Ban filter for openssh
 #
+# If you want to protect OpenSSH from being bruteforced by password
+# authentication then get public key authentication working before disabling
+# PasswordAuthentication in sshd.conf.
 
 [INCLUDES]
 

man/fail2ban.1

@@ -25,6 +25,17 @@ For testing regular expressions specified in a filter using the
 fail2ban-regex program may be of use and its manual page is
 fail2ban-regex(1).
 
+.SH LIMITATION
+
+Fail2Ban is able to reduce the rate of incorrect authentications attempts
+however it cannot eliminate the risk that weak authentication presents. 
+Configure services to use only two factor or public/private authentication
+mechanisms if you really want to protect services.
+
+A local user is able to inject messages into syslog and using a Fail2Ban
+jail that reads from syslog, they can effectively trigger a DoS attack against
+any IP. Know this risk and configure Fail2Ban/grant shell access acordingly.
+
 .SH FILES
 \fI/etc/fail2ban/*\fR
 .SH AUTHOR