commit b5e7b566e1510975f0751e1690282803cd54ad6b
Author: Maksim Malchuk <email address hidden>
Date: Tue Mar 29 18:50:16 2016 +0300
SSH brute force protection
To block a SSH brute force attack, we just need to slow down the
flow of requests. We can do this by rate-limiting requests to SSH
with iptables. The benefit of using iptables to block SSH attacks
is you don’t need any added software so we can easily support this
solution.
This change will block an IP if it attempts more than 3 connections
per minute (60 seconds) to SSH. These parameters are configurable.
Also, this protection would be enabled only if an empty ssh_network
(set to 0.0.0.0/0 which means world-wide open) is provided.
All SSH brute-force attempts blocked only on non-admin interface,
because automated Fuel deployment via fuel-devops or fuel-virtualbox
scripts are doing many connections during the installation process.
All SSH brute-force connections are logged by default.
Reviewed: https:/ /review. openstack. org/298846 /git.openstack. org/cgit/ openstack/ fuel-library/ commit/ ?id=b5e7b566e15 10975f0751e1690 282803cd54ad6b
Committed: https:/
Submitter: Jenkins
Branch: master
commit b5e7b566e151097 5f0751e16902828 03cd54ad6b
Author: Maksim Malchuk <email address hidden>
Date: Tue Mar 29 18:50:16 2016 +0300
SSH brute force protection
To block a SSH brute force attack, we just need to slow down the
flow of requests. We can do this by rate-limiting requests to SSH
with iptables. The benefit of using iptables to block SSH attacks
is you don’t need any added software so we can easily support this
solution.
This change will block an IP if it attempts more than 3 connections
per minute (60 seconds) to SSH. These parameters are configurable.
Also, this protection would be enabled only if an empty ssh_network
(set to 0.0.0.0/0 which means world-wide open) is provided.
All SSH brute-force attempts blocked only on non-admin interface,
because automated Fuel deployment via fuel-devops or fuel-virtualbox
scripts are doing many connections during the installation process.
All SSH brute-force connections are logged by default.
DocImpact bc5827b3fda7f61 4c0ea5d4fd3 89aa4c2cd85d1d0 0556b210a39
Depends-On: I06161e8d819e40
Change-Id: I0f452c8b0a8087
Closes-Bug: #1540073
Signed-off-by: Maksim Malchuk <email address hidden>