SSH brute force protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Confirmed
|
Undecided
|
Fuel Documentation Team |
Bug Description
https:/
Dear bug triager. This bug was created since a commit was marked with DOCIMPACT.
commit b5e7b566e151097
Author: Maksim Malchuk <email address hidden>
Date: Tue Mar 29 18:50:16 2016 +0300
SSH brute force protection
To block a SSH brute force attack, we just need to slow down the
flow of requests. We can do this by rate-limiting requests to SSH
with iptables. The benefit of using iptables to block SSH attacks
is you don’t need any added software so we can easily support this
solution.
This change will block an IP if it attempts more than 3 connections
per minute (60 seconds) to SSH. These parameters are configurable.
Also, this protection would be enabled only if an empty ssh_network
(set to 0.0.0.0/0 which means world-wide open) is provided.
All SSH brute-force attempts blocked only on non-admin interface,
because automated Fuel deployment via fuel-devops or fuel-virtualbox
scripts are doing many connections during the installation process.
All SSH brute-force connections are logged by default.
DocImpact
Depends-On: I06161e8d819e40
Change-Id: I0f452c8b0a8087
Closes-Bug: #1540073
Signed-off-by: Maksim Malchuk <email address hidden>
Changed in fuel: | |
assignee: | nobody → Fuel Documentation Team (fuel-docs) |
status: | New → Confirmed |
milestone: | none → 10.0 |