I get that there won’t be any security updates. So any problem found can be exploited. But how high is the chance for problems for an average user if you say, only browse some safe websites? If you have a pc you don’t really care much about, without any personal information? It feels like the danger is more theoretical than what will actually happen.

Or… are there any examples of people (not corpos) getting wrecked in the past by an eol OS?

  • callcc@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    5 months ago

    It’s debated whether software like fail2ban actually helps or if it just makes attacks visible that would anyways fail if you have up to date software. Oftentimes, defensive software adds attack-surface because it adds more software that can be targeted by attackers.

    Fail2ban might help with protecting against exploiting of bad passwords though.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Tar pitting, rate limiting, banning failed attempts, are all critical security measures. If you let somebody try passwords, login attempts, with infinite speed, allow people to brute force your systems, you will get exploited

      Even if you don’t get exploited, you can get asymmetrically DOSed. It takes a lot of compute power to deal with an authentication attempt, and not much compute power to put in a failed request

      • callcc@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        I totally agree about rate limiting, mostly against bad passwords that you are not in control of. But banning failed attempts is mostly not interesting if you ask me. It feels like the right thing to do, but IP addresses can change and other measures are better.

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          I agree. No ban should be permanent, just increasingly larger timeouts. If it’s a legitimate user they’ll have some other channel to reach out to to unban the IP