Fuel for OpenStack

  1. Bug #1540073
  2. Comment #13

Comment 13 for bug 1540073

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/298846
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=b5e7b566e1510975f0751e1690282803cd54ad6b
Submitter: Jenkins
Branch: master

commit b5e7b566e1510975f0751e1690282803cd54ad6b
Author: Maksim Malchuk <email address hidden>
Date: Tue Mar 29 18:50:16 2016 +0300

    SSH brute force protection

    To block a SSH brute force attack, we just need to slow down the
    flow of requests. We can do this by rate-limiting requests to SSH
    with iptables. The benefit of using iptables to block SSH attacks
    is you don’t need any added software so we can easily support this
    solution.

    This change will block an IP if it attempts more than 3 connections
    per minute (60 seconds) to SSH. These parameters are configurable.
    Also, this protection would be enabled only if an empty ssh_network
    (set to 0.0.0.0/0 which means world-wide open) is provided.

    All SSH brute-force attempts blocked only on non-admin interface,
    because automated Fuel deployment via fuel-devops or fuel-virtualbox
    scripts are doing many connections during the installation process.

    All SSH brute-force connections are logged by default.

    DocImpact
    Depends-On: I06161e8d819e40bc5827b3fda7f614c0ea5d4fd3
    Change-Id: I0f452c8b0a808789aa4c2cd85d1d00556b210a39
    Closes-Bug: #1540073
    Signed-off-by: Maksim Malchuk <email address hidden>