I think I found why it is failing, but, as a bounty has been set, I'll wait for it to finish before writing down the answer, thus offering other users to try and answer the question... (@Moderators: Is this OK? What should I do otherwise?)
Edit:
As nobody answered, I'll jot down what I discovered.
Two things were wrong about my setup (actually one about my setup and one about fail2ban itself):
1.- If I try
sudo iptables -N fail2ban-apache-404-slowattackers
which is the command fail2ban issues, I get the following message:
iptables v1.4.4: chain name `fail2ban-apache-404-slowattackers' too long (must be under 30 chars)
If this had been logged to fail2ban.log, I would have known what wass going wrong (but it wasn't logged). So, changing the name of my custom filter to something shorter (for instance apache-404-slowatt) did the trick, as iptable chain name becomes below 30 characters.
2.- There's a (seemingly) faulty fail2ban script that apparently 'runs too quickly', so I found a workaround.
Quoting:
I had multiple fail2ban.action.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1):
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
time.sleep(0.1)
beautifier.setInputCmd(c)
Don't log in as such. Instead, from your local machine, run
ssh user@server mv /path/to/source /path/to/dest
That should let you get around the problem.
On a more general note, I do believe you are being a bit paranoid here. Setting the idle time to 5 minutes and then facing this kind of issue seems silly. Just set it to something longer and avoid the problem.
As for your 1st question, mv will only delete the source files if the copy succeeded. As explained in info mv (emphasis mine):
It first uses some of the same code that's used by `cp -a'
to copy the requested directories and files, then (assuming the copy
succeeded) it removes the originals. If the copy fails, then the part
that was copied to the destination partition is removed. If you were
to copy three directories from one partition to another and the copy of
the first directory succeeded, but the second didn't, the first would
be left on the destination partition and the second and third would be
left on the original partition.
Best Answer
There are different solutions. The best one is using RSA authentication that uses public/private keys to authenticate users.
Check this great manual for different approaches (RSA authentication included): http://www.la-samhna.de/library/brutessh.html
I'm using the 3rd solution on my server because I don't want to make it complicated for my non-technical users: using
iptablesto limit the number of connections per minute that makes bruteforce attacks inefficient and ineffective.Here is the solution I'm using:
As mentioned here: this will allow three port 22 connections from any given IP address within a 60 second period, and require 60 seconds of no subsequent connection attempts before it will resume allowing connections again. The --rttl option also takes into account the TTL of the datagram when matching packets, so as to endeavour to mitigate against spoofed source addresses.
As stated in the mentioned guide, it's better to use a white list to separate trusted users from these rules:
then add trusted hosts:
and after that make the rules: