[SAC] installing fail2ban?

[Hamish]

Hi,

Any objection to installing fail2ban on the adhoc VM? It's a
daemon which watches /var/log/auth.log and if an IP has more than
say 6 failed paswd ssh attempts in say 10 minutes, it alters
the firewall rules to drop traffic from them for (say) 10 minutes.
Effectively it stops brute force paswd attacks but is not too
harsh on forgetful and butter-fingered users.

Perhaps installing portsentry and more fine-grained firewalls in
general could be explored? stronger encouragement of public/
private key use?

Also I'd suggest to check that /etc/ssh/sshd_config contains
 PermitRootLogin no
But I'm not sure if OSUOSL or anyone is using that?


Compared to some of my other systems, the failed ssh attempts on
adhoc are not so high, but they still dwarf the number of real
user logins:

zcat /var/log/auth.log* | grep 'Failed password' | \
  grep sshd | awk '{print $1,$2}' | sort -k 1,1M -k 2n | \
  uniq -c

cat /var/log/auth.log* | grep 'Failed password' | \
  grep sshd | awk '{print $1,$2}' | sort -k 1,1M -k 2n | \
  uniq -c

    118 Apr 24
   7071 Apr 25
    342 Apr 26
      2 Apr 27
     39 Apr 29
   2203 Apr 30
      1 May 1
    563 May 4
     61 May 5
      1 May 6
      9 May 7
      4 May 8
     38 May 9
    429 May 11
     33 May 12
     22 May 13
      1 May 14
    264 May 15
      1 May 16
   1403 May 17
      1 May 19
    493 May 20
    130 May 21
    274 May 22
     72 May 23
     19 May 25
    477 May 26
    334 May 27


regards,
Hamish