[Bio-Linux] Bio-Linux 5.0 security
Tony Travis
a.travis at abdn.ac.uk
Wed Jan 28 11:46:13 EST 2009
Tim Booth wrote:
> Hi Tony,
>
> Useful advice, but a word of warning on fail2ban - I've known it to
> block legitimate hosts, including even localhost! It seems that NX,
> which a lot of people use for remote access, did not play nicely with
> fail2ban in that case.
Hello, Tim.
We've been using "fail2ban" with NX on our Beowulf at RINH and the NBX
network without any problems. The default configuration that I'm using
un-bans hosts after ten minutes anyway. Maybe the problem is only when
you use the Nomachine proprietary 'free' NX server ;-)
Without "fail2ban", our systems are more vulnerable to this sort of
attack from the Internet. I wrote an admin script called 'incoming'
(attached) to monitor login activity. This gives me more information
about where the failed login attempts are coming from than "faillog".
> If you have a small number of users on a machine (eg. if it is just your
> personal workstation) I would ensure that membership of the ssh group is
> kept to a minimum, use hard-to-crack passwords
> (http://www.dowling.edu/mydowling/tech/good-passwords.html) and consider
> moving from password-based login to key-based login.
Yes. you're right about "hard-to-crack passwords", but theft of keys is
almost as much of a risk as theft of passwords :-(
> Key-based login takes a little bit of work to set up but is immune to
> current 'brute-force' attacks and can actually save you time typing
> passwords. If anyone on this list is interested in knowing more then
> let me know and I'll post some details.
Brute-force attacks become denial of service attacks if you don't use
fail2ban because you allow an attacker to continue attempting to login.
If you use fail2ban, the attacker doesn't even get a response to their
TCP/IP packets because fail2ban modifies the kernel IPTABLES to drop any
packets from the suspect host IP address. Key-based login does not do
anything to prevent continued (futile) attacks...
We already use SSH key-based logins, and LDAP certificates on the NBX.
However, I am interested in any jungle tips that you can give us about
how to defend Bio-Linux systems.
Bye,
Tony.
--
Dr. A.J.Travis, University of Aberdeen, Rowett Institute of Nutrition
and Health, Greenburn Road, Bucksburn, Aberdeen AB21 9SB, Scotland, UK
tel +44(0)1224 712751, fax +44(0)1224 716687, http://www.rowett.ac.uk
mailto:a.travis at abdn.ac.uk, http://bioinformatics.rri.sari.ac.uk/~ajt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: incoming
URL: <http://www.bioinformatics.org/pipermail/bio-linux-list/attachments/20090128/efebdfa7/attachment.ksh>
More information about the Bio-linux-list
mailing list