John Hardin wrote: > One thing I noticed while troubleshooting the recent ruleqa problems on > the zone VMs was the number of failed SSH logins to random and system > accounts. I was contemplating putting in explicit DenyUsers for the > various system accounts, but I was a little reluctant to do system-level > stuff like that without infra involvement.
> Should we (ask infra to) put something like fail2ban on the zones boxes, > and add explicit DenyUsers for the existing system accounts (like > postgres(!))? Can't hurt. But perhaps more importantly: at our site most ssh-reachable hosts have password-based logins disabled; the only allowed method is using an RSA key. To cut down the log file growth we also use sshguard - similar to fail2ban. I would suggest disabling password-based ssh logins, if possible/practical. sshd_config: PasswordAuthentication no ChallengeResponseAuthentication no (after first copying public keys to each ~/.ssh/authorized_keys that needs it) > More generally: how autonomous are we the SA devs in administration of the > zone VMs? Don't know. > I was reminded by this: >http://isc.sans.edu/diary/SSH+Password+Brute+Forcing+may+be+on+the+Rise/12133 Yes, scary, we see it all the time. Mark
