Re: How we handle attacks?

2013-10-07 Thread inode0 
On Mon, Oct 7, 2013 at 10:37 AM, Toshio Kuratomi  wrote:
> Objection.
>
> + Use denyhosts as this is what we're using on the rest of infra.
>
> + we should talk a bit about whether we want denyhosts on for all cloud
> boxes or just specific ones.  I lean towards enabling it for security but we
> did envision the cloud hosts being more forgiving than the rest of infra's
> hosts so we should just take a moment to make sure there's no use cases it's
> impacting.

If you do ever consider moving away from denyhosts please take a look
at solutions that don't require log scraping which denyhosts has
already proved can be yet another security hole. Philosophically I
don't see much difference between these two choices (denyhosts and
fail2ban as both share in the less than optimal method of log scraping
to trigger action).

I would at least reconsider other options at that time. Things that
don't depend on logs like pam_abl seem to my mind be better designed
with security in mind.

John
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

2013-10-07 Thread Toshio Kuratomi 
Objection.

+ Use denyhosts as this is what we're using on the rest of infra.

+ we should talk a bit about whether we want denyhosts on for all cloud
boxes or just specific ones.  I lean towards enabling it for security but
we did envision the cloud hosts being more forgiving than the rest of
infra's hosts so we should just take a moment to make sure there's no use
cases it's impacting.

-Toshio

-Toshio
On Oct 7, 2013 3:56 AM, "Miroslav Suchý"  wrote:

> On 10/07/2013 05:23 AM, Anshu Prateek wrote:
>
>> Most of these logins are automated bot attempts. On my personal servers,
>> one easy way I have found is changing the
>> default port to something else and that cuts down my lastb by almost 99%!
>>
>
> Yes, I do that for my personal servers as well (and it works really good).
> But I do not think this is good approach in organization when people
> fluctuate quite often (think about apprentice group).
>
> fail2ban looks good, I'm trying it right now. Unless somebody will object
> I will add it to ./tasks/cloud_setup_basic.yml
> so all cloud images will use it.
>
> --
> Miroslav Suchy, RHCE, RHCDS
> Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
> __**_
> infrastructure mailing list
> infrastructure@lists.**fedoraproject.org
> https://admin.fedoraproject.**org/mailman/listinfo/**infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

2013-10-07 Thread Miroslav Suchý 

On 10/07/2013 05:23 AM, Anshu Prateek wrote:

Most of these logins are automated bot attempts. On my personal servers, one 
easy way I have found is changing the
default port to something else and that cuts down my lastb by almost 99%!


Yes, I do that for my personal servers as well (and it works really good). But I do not think this is good approach in 
organization when people fluctuate quite often (think about apprentice group).


fail2ban looks good, I'm trying it right now. Unless somebody will object I 
will add it to ./tasks/cloud_setup_basic.yml
so all cloud images will use it.

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure