[Bio-Linux] Bio-Linux 5.0 security

Tony Travis a.travis at abdn.ac.uk
Wed Jan 28 11:46:13 EST 2009


Tim Booth wrote:
> Hi Tony,
> 
> Useful advice, but a word of warning on fail2ban - I've known it to
> block legitimate hosts, including even localhost!  It seems that NX,
> which a lot of people use for remote access, did not play nicely with
> fail2ban in that case.

Hello, Tim.

We've been using "fail2ban" with NX on our Beowulf at RINH and the NBX 
network without any problems. The default configuration that I'm using 
un-bans hosts after ten minutes anyway. Maybe the problem is only when 
you use the Nomachine proprietary 'free' NX server ;-)

Without "fail2ban", our systems are more vulnerable to this sort of 
attack from the Internet. I wrote an admin script called 'incoming' 
(attached) to monitor login activity. This gives me more information 
about where the failed login attempts are coming from than "faillog".

> If you have a small number of users on a machine (eg. if it is just your
> personal workstation) I would ensure that membership of the ssh group is
> kept to a minimum, use hard-to-crack passwords
> (http://www.dowling.edu/mydowling/tech/good-passwords.html) and consider
> moving from password-based login to key-based login.

Yes. you're right about "hard-to-crack passwords", but theft of keys is 
almost as much of a risk as theft of passwords :-(

> Key-based login takes a little bit of work to set up but is immune to
> current 'brute-force' attacks and can actually save you time typing
> passwords.  If anyone on this list is interested in knowing more then
> let me know and I'll post some details.

Brute-force attacks become denial of service attacks if you don't use 
fail2ban because you allow an attacker to continue attempting to login. 
If you use fail2ban, the attacker doesn't even get a response to their 
TCP/IP packets because fail2ban modifies the kernel IPTABLES to drop any 
packets from the suspect host IP address. Key-based login does not do 
anything to prevent continued (futile) attacks...

We already use SSH key-based logins, and LDAP certificates on the NBX. 
However, I am interested in any jungle tips that you can give us about 
how to defend Bio-Linux systems.

Bye,

	Tony.
-- 
Dr. A.J.Travis, University of Aberdeen, Rowett Institute of Nutrition
and Health, Greenburn Road, Bucksburn, Aberdeen AB21 9SB, Scotland, UK
tel +44(0)1224 712751, fax +44(0)1224 716687, http://www.rowett.ac.uk
mailto:a.travis at abdn.ac.uk, http://bioinformatics.rri.sari.ac.uk/~ajt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: incoming
URL: <http://www.bioinformatics.org/pipermail/bio-linux-list/attachments/20090128/efebdfa7/attachment.ksh>


More information about the Bio-linux-list mailing list