[SAC] installing fail2ban?

Hamish hamish_b at yahoo.com
Wed Jun 1 19:07:09 EDT 2011


Alex Mandel wrote:
> > +1 on fail2ban
> >[...]
> > So while I'm not in love with Root login via ssh, we
> > don't have console access to the VMs so it would pose an
> > issue when LDAP is down.
>
Frank:
> I am supportive of installing fail2ban if someone is
> willing to take the action item.

now installed on the adhoc VM, and already doing its job.

I added 127.0.1.1 to the ignoreip list in jail.conf as that's
added as a dummy IP for `hostname` in recent Debians & Ubuntus
in the /etc/hosts file (so that `hostname` always resolves to
something; mostly useful for laptops which go off-line a lot but
still need to resolve; fixed IPs may replace that with a hard-
coded version)

one FAQ gotcha I ran into is that before running the init.d
script I had to "unset TZ" (as me), otherwise the following
sudo caused the log file time-stamps to be hours out of sync
and the program not to work.

I would suggest that others have a peek at /var/log/auth.log on
the other VMs for many thousands of 'Failed password' per day,
and deploy there as appropriate. (I don't have the necessary
sac'ness to do that myself)


> I'm not inclined to changing the root login arrangements for
> the reasons Alex explains.

ok.


Another tool to consider is `portsentry`, which detects port
scans and blackholes the IPs of those trying the locks. It is
both more dumb and more harsh than fail2ban (knock on port "x"
and you get banned, and firewall rules persist until reboot, vs.
fail2ban's forgiveness fuse) so I do not propose to use it for
the osgeo VMs right now, but I wonder if variants or hacks of
that might be better. Or do we just firewall everything then open
ports 22, 80, etc as needed?


Hamish



More information about the Sac mailing list