Page MenuHomePhabricator

Should we deploy sshguard on external IP addresses?
Open, Needs TriagePublic

Description

Some discussion has been around using sshguard (or fail2ban) on externally facing IP addresses. This has some utility in that it prevents follow-on, but not much specifically for preventing brute forces against our key-only ssh setup.

I have a preliminary puppet patch for this but obviously actual choices should be made.

Event Timeline

crusnov created this task.Mar 21 2019, 9:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2019, 9:39 PM

Change 498231 had a related patch set uploaded (by CRusnov; owner: CRusnov):
[operations/puppet@production] Add sshguard to base module.

https://gerrit.wikimedia.org/r/498231

crusnov moved this task from Backlog to In Progress on the User-crusnov board.Mar 21 2019, 9:44 PM
herron added a subscriber: herron.Apr 10 2019, 4:52 PM
crusnov moved this task from In Progress to Ready on the User-crusnov board.Apr 26 2019, 6:11 PM
crusnov moved this task from Ready to Backlog on the User-crusnov board.May 1 2019, 6:48 PM