Enable bruteforce protection for SSH service
Bug #1330923 reported by
Timur Nurlygayanov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Won't Fix
|
Medium
|
Max Mazur |
Bug Description
Enable bruteforce protection for SSH: we should be ready for production environments and we need to protect SSH service.
Right now we allow any numbers of login attempts for SSH, and it's non secure.
On our environment we configured SSH service to block IP address after 3 incorrect login attempts, and we can do this in vanilla Fuel, 'from the box'.
Need enable this feature on Fuel master node and on all OpenStack nodes too.
Changed in fuel: | |
assignee: | nobody → Max Mazur (mmaxur) |
To post a comment you must log in.
e.g. add htable- expire 60000 -j ACCEPT
- fail2ban
or something like
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name SSH --hashlimit-
iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
or
iptables -A INPUT -p tcp –dport 22 -m recent –set –name SEC –syn -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -m recent –update –seconds 60 –hitcount 3 –rttl –name SEC -j LOG –log-prefix “BRUTE_FORCE“
iptables -A INPUT -p tcp –dport 22 -m recent –update –seconds 60 –hitcount 3 –rttl –name SEC -j DROP