How we handle attacks?

[Miroslav Suchý]

I see in log file of copr-fe-dev a lot of attempts to login as root/postgres/nagios/oracl/test user. Well it is ~4000 
attempts. So it depend on your definition of "lot of". But it caught my attention.


Do we have some standard procedure how to handle it? Add that IPs to blacklist? Move ssh port to non standard number? Or 
should I just ignore them?

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Jhoanir Torres]

Is highly recommended use 'Fail2Ban' in victim servers.

--
Jhoanir Torres
El oct 3, 2013 7:20 AM, "Miroslav Suchý"  escribió:

> I see in log file of copr-fe-dev a lot of attempts to login as
> root/postgres/nagios/oracl/**test user. Well it is ~4000 attempts. So it
> depend on your definition of "lot of". But it caught my attention.
>
> Do we have some standard procedure how to handle it? Add that IPs to
> blacklist? Move ssh port to non standard number? Or should I just ignore
> them?
> --
> Miroslav Suchy, RHCE, RHCDS
> Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
> __**_
> infrastructure mailing list
> infrastructure@lists.**fedoraproject.org
> https://admin.fedoraproject.**org/mailman/listinfo/**infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Miroslav Suchý]

On 10/03/2013 02:55 PM, Jhoanir Torres wrote:

Is highly recommended use 'Fail2Ban' in victim servers.


And do we already use it? Because git grep in ansible.git returns zero to me.

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Toshio Kuratomi]

On Thu, Oct 03, 2013 at 03:10:13PM +0200, Miroslav Suchý wrote:
> On 10/03/2013 02:55 PM, Jhoanir Torres wrote:
> >Is highly recommended use 'Fail2Ban' in victim servers.
> 
> And do we already use it? Because git grep in ansible.git returns zero to me.
> 
We use denyhosts which serves a similar purpose but bans ips in a different
way.

-Toshio


pgpAupESVzP9I.pgp
Description: PGP signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Kevin Fenzi]

On Thu, 3 Oct 2013 07:40:10 -0700
Toshio Kuratomi  wrote:

> On Thu, Oct 03, 2013 at 03:10:13PM +0200, Miroslav Suchý wrote:
> > On 10/03/2013 02:55 PM, Jhoanir Torres wrote:
> > >Is highly recommended use 'Fail2Ban' in victim servers.
> > 
> > And do we already use it? Because git grep in ansible.git returns
> > zero to me.
> > 
> We use denyhosts which serves a similar purpose but bans ips in a
> different way.

Yeah, we use denyhosts. 

We might want to look at all the options in this space again at some
point however. I think denyhosts isn't maintained much upstream anymore
and thus is not porting to journald, so with newer releases it's likely
to stop working. ;( 

kevin


signature.asc
Description: PGP signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Matthew Miller]

On Thu, Oct 03, 2013 at 09:29:36AM -0600, Kevin Fenzi wrote:
> We might want to look at all the options in this space again at some
> point however. I think denyhosts isn't maintained much upstream anymore
> and thus is not porting to journald, so with newer releases it's likely
> to stop working. ;( 

FWIW fail2ban _is_ porting to journald.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Tristan Santore]

On 03/10/13 16:34, Matthew Miller wrote:

On Thu, Oct 03, 2013 at 09:29:36AM -0600, Kevin Fenzi wrote:

We might want to look at all the options in this space again at some
point however. I think denyhosts isn't maintained much upstream anymore
and thus is not porting to journald, so with newer releases it's likely
to stop working. ;(


FWIW fail2ban _is_ porting to journald.


But fail2ban still does not support IPv6, which is mildly irritating. 
Further they seem to be dragging their feet about the issue, even though 
a few people have tried making patches for it. I believe it has 
something to do with the way it is implemented, which would require a 
partial rewrite ideally. Also there has been a debate on setting 
different IPv6 subnet bans, which is where partially the hold-up rests.


I hope the issue gets resolved soon.

Regards,

Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
tristan.sant...@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
tsant...@fedoraproject.org
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Anshu Prateek]

I guess you are talking about ssh access?

Most of these logins are automated bot attempts. On my personal servers,
one easy way I have found is changing the default port to something else
and that cuts down my lastb by almost 99%!


On Thu, Oct 3, 2013 at 5:50 PM, Miroslav Suchý  wrote:

> I see in log file of copr-fe-dev a lot of attempts to login as
> root/postgres/nagios/oracl/**test user. Well it is ~4000 attempts. So it
> depend on your definition of "lot of". But it caught my attention.
>
> Do we have some standard procedure how to handle it? Add that IPs to
> blacklist? Move ssh port to non standard number? Or should I just ignore
> them?
> --
> Miroslav Suchy, RHCE, RHCDS
> Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
> __**_
> infrastructure mailing list
> infrastructure@lists.**fedoraproject.org
> https://admin.fedoraproject.**org/mailman/listinfo/**infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Christopher Meng]

Do we need some honeypots? ;)
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Miroslav Suchý]

On 10/07/2013 05:23 AM, Anshu Prateek wrote:

Most of these logins are automated bot attempts. On my personal servers, one 
easy way I have found is changing the
default port to something else and that cuts down my lastb by almost 99%!


Yes, I do that for my personal servers as well (and it works really good). But I do not think this is good approach in 
organization when people fluctuate quite often (think about apprentice group).


fail2ban looks good, I'm trying it right now. Unless somebody will object I 
will add it to ./tasks/cloud_setup_basic.yml
so all cloud images will use it.

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[Toshio Kuratomi]

Objection.

+ Use denyhosts as this is what we're using on the rest of infra.

+ we should talk a bit about whether we want denyhosts on for all cloud
boxes or just specific ones.  I lean towards enabling it for security but
we did envision the cloud hosts being more forgiving than the rest of
infra's hosts so we should just take a moment to make sure there's no use
cases it's impacting.

-Toshio

-Toshio
On Oct 7, 2013 3:56 AM, "Miroslav Suchý"  wrote:

> On 10/07/2013 05:23 AM, Anshu Prateek wrote:
>
>> Most of these logins are automated bot attempts. On my personal servers,
>> one easy way I have found is changing the
>> default port to something else and that cuts down my lastb by almost 99%!
>>
>
> Yes, I do that for my personal servers as well (and it works really good).
> But I do not think this is good approach in organization when people
> fluctuate quite often (think about apprentice group).
>
> fail2ban looks good, I'm trying it right now. Unless somebody will object
> I will add it to ./tasks/cloud_setup_basic.yml
> so all cloud images will use it.
>
> --
> Miroslav Suchy, RHCE, RHCDS
> Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
> __**_
> infrastructure mailing list
> infrastructure@lists.**fedoraproject.org
> https://admin.fedoraproject.**org/mailman/listinfo/**infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: How we handle attacks?

[inode0]

On Mon, Oct 7, 2013 at 10:37 AM, Toshio Kuratomi  wrote:
> Objection.
>
> + Use denyhosts as this is what we're using on the rest of infra.
>
> + we should talk a bit about whether we want denyhosts on for all cloud
> boxes or just specific ones.  I lean towards enabling it for security but we
> did envision the cloud hosts being more forgiving than the rest of infra's
> hosts so we should just take a moment to make sure there's no use cases it's
> impacting.

If you do ever consider moving away from denyhosts please take a look
at solutions that don't require log scraping which denyhosts has
already proved can be yet another security hole. Philosophically I
don't see much difference between these two choices (denyhosts and
fail2ban as both share in the less than optimal method of log scraping
to trigger action).

I would at least reconsider other options at that time. Things that
don't depend on logs like pam_abl seem to my mind be better designed
with security in mind.

John
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure