Archive for the 'Fedora' Category

Firewalling SSH brute force attacks.

September 21, 2011

Anyone who runs their own Linux server knows the annoyance of looking through the log files to see automated SSH brute force attacks trying to find a login to the machine. In the past, I’ve avoided this problem simply by running sshd on a non-traditional port, which makes all the automated scripts that attack port 22 fail.

I recently had to move sshd back to port 22, and I quickly tired of seeing 5k failed login attempts every day.

UPDATE: After some Googling, and after taking into account a lot of good advice from the comments, as well as from John and Smooge, here’s how I’ve rewritten my firewall to protect against brute force ssh attacks.

# set default policies
iptables -P INPUT DROP

# all pre-established clients
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# new inbound ssh, protecting against brute-force attacks
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

The changes improve efficiency by moving all the RELATED and ESTABLISHED filtering to the beginning of the checks. Also, the order of the checks on the NEW ssh connections have been fixed based on the suggestions in the comments.

The blocked IPs are stored in /proc/net/ipt_recent/SSH.

Governance and scarcity.

August 1, 2011

Most of the time when we see contentious debate come up in the Fedora Project is when the community is trying to create, or agree on, the governance or process by which a scarce resource is used or allocated.

Recall the friction a year or two ago regarding how to advertise different spins of Fedora on the website, and whether or not the layout would recommend a default spin, or promote one spin as a first-among-equals. Real estate on the front page of fedoraproject.org is a scarce resource, which leads to lots of people debating the most efficient way to allocate it.

One of the key responsibilities of Fedora’s leadership is to identify these scarcity points and understand them. It is the job of Fedora’s leaders to understand whether the scarcity in question is real or artificial.

Back to the previous example — Fedora doesn’t have control over the manufacture of computer monitors. The amount of visible space on the main page of Fedora’s website is real scarcity.

I can think of several places where Fedora has taken steps to remove artifical scarcity that could otherwise have caused huge problems.

For instance, if a package needs review or needs to be maintained, it is easy to do so. The process for increasing the total number of packages in Fedora, and the number of folks who can review new packages is relatively simple. It doesn’t depend on another resource such as “money in a budget” or “open headcount for hiring”. From a governance point of view, this is great. Fedora’s leadership says “we need to make sure that packages in Fedora are high quality” and the community was left to solve that problem in a scalable way, and did so.

Many years ago, when I hired Mike to lead Fedora’s infrastructure team, I told him that I would never micromanage his work, because he knew better than I what needed to be done. The only time he would see me poke my nose into his business was if he permitted any artifical scarcity to exist within Fedora Infrastructure.

What does that mean? Building the capacity for an ever-growing number of people to participate in Fedora Infrastructure was the primary objective, and figuring that out while not sacrificing security policy or quality was (and is) a non-trivial problem. Because in a community like Fedora that places value on GETTING STUFF DONE, telling someone “there is no one with time to address your topic and and you are not allowed to do it yourself” is unacceptable.

To put it another way: within the context of Fedora, if you are claiming that people is a scarce resource, you are probably wrong, and people is simply a scapegoat for a different issue. The rollout of the community credit cards is a good example of this point.

Removing scarcity is not the same as removing guidelines or rules. Fedora has very well-written trademark guidelines. These guidelines help us not only build, but also protect, and scale, Fedora’s brand.

Just don’t let the implementation or the following of those guidelines and rules create artificial scarcity.