Page MenuHomePhabricator

Should we deploy sshguard on external IP addresses?
Open, Needs TriagePublic

Description

Some discussion has been around using sshguard (or fail2ban) on externally facing IP addresses. This has some utility in that it prevents follow-on, but not much specifically for preventing brute forces against our key-only ssh setup.

I have a preliminary puppet patch for this but obviously actual choices should be made.

Event Timeline

crusnov created this task.Mar 21 2019, 9:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2019, 9:39 PM

Change 498231 had a related patch set uploaded (by CRusnov; owner: CRusnov):
[operations/puppet@production] Add sshguard to base module.

https://gerrit.wikimedia.org/r/498231

crusnov moved this task from Backlog to In Progress on the User-crusnov board.Mar 21 2019, 9:44 PM
herron added a subscriber: herron.Apr 10 2019, 4:52 PM
crusnov moved this task from In Progress to Ready on the User-crusnov board.Apr 26 2019, 6:11 PM
crusnov moved this task from Ready to Backlog on the User-crusnov board.May 1 2019, 6:48 PM

Change 498231 abandoned by CRusnov:
Add sshguard to base module.

Reason:
no traction on this, applied at wrong level to be useful

https://gerrit.wikimedia.org/r/498231

crusnov moved this task from Backlog to Complete on the User-crusnov board.Jul 30 2019, 10:50 PM

@Jcross, @crusnov: As Security-Team was removed from this task, can you please associate at least one active project with this task (via the Add Action...Change Project Tags dropdown). This will allow others to find this task when looking at a corresponding project workboard.
Or should this task be declined maybe?

Jcross added a comment.EditedMon, Sep 23, 10:23 PM

Hi everyone,

While cleaning up our workboard during a team meeting, we noted that this ticket was marked "Complete" on the user-crusnov board and thus removed our team tag from the ticket. If there are any / additional tasks for the security-team to perform please let us know and we would be happy to address.

This was fallout of the last flea vandalism incident. I don't think we've
had any meaningful discussion on whether or not this still seems like a
good idea. (I think it might be worthy.)

i think the general consensus i've heard is that external load balancers don't or can't have firewall rules, but perhaps we should consider it on a case by case basis for other external services.