From ef82eac790ec93803569f81d5e6d20c3e2de3b00 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sun, 2 Feb 2014 15:16:40 +1100
Subject: [PATCH 1/2] DOC: openssh real protection is pubkey

---
 config/filter.d/sshd.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 8d39f412..92b6ed19 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -1,5 +1,8 @@
 # Fail2Ban filter for openssh
 #
+# If you want to protect OpenSSH from being bruteforced by password
+# authentication then get public key authentication working before disabling
+# PasswordAuthentication in sshd.conf.
 
 [INCLUDES]
 

From 7b56daee8f609b277f42bdf4cbdf38bb9af88c4f Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sun, 2 Feb 2014 15:17:10 +1100
Subject: [PATCH 2/2] DOC: set realistic expectations of what fail2ban protects
 against

---
 README.md      |  5 +++++
 man/fail2ban.1 | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 2482856f..20b0b077 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,11 @@ password failures. It updates firewall rules to reject the IP address. These
 rules can be defined by the user. Fail2Ban can read multiple log files such as
 sshd or Apache web server ones.
 
+Fail2Ban is able to reduce the rate of incorrect authentications attempts
+however it cannot eliminate the risk that weak authentication presents.
+Configure services to use only two factor or public/private authentication
+mechanisms if you really want to protect services.
+
 This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
 are available in fail2ban(1) manpage and on the website http://www.fail2ban.org
 
diff --git a/man/fail2ban.1 b/man/fail2ban.1
index 8f93dbc7..660168f1 100644
--- a/man/fail2ban.1
+++ b/man/fail2ban.1
@@ -25,6 +25,17 @@ For testing regular expressions specified in a filter using the
 fail2ban-regex program may be of use and its manual page is
 fail2ban-regex(1).
 
+.SH LIMITATION
+
+Fail2Ban is able to reduce the rate of incorrect authentications attempts
+however it cannot eliminate the risk that weak authentication presents. 
+Configure services to use only two factor or public/private authentication
+mechanisms if you really want to protect services.
+
+A local user is able to inject messages into syslog and using a Fail2Ban
+jail that reads from syslog, they can effectively trigger a DoS attack against
+any IP. Know this risk and configure Fail2Ban/grant shell access acordingly.
+
 .SH FILES
 \fI/etc/fail2ban/*\fR
 .SH AUTHOR