[opensuse] fail2ban - a cautionary note
After 3 years of having a server in the cloud with fail2ban on it, it locked me out from my house ISP recently! I had my house's IP in the ignoreip line, but ... Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change. Fortunately my cloud vendor provides console access via a java app so I could log into the console and add me new home IP to the ignore IP line. Just a cautionary note for others, but it was pretty confusing since I could login for a few minutes after reboot, but then re-connecting would be blocked. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.
I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh
Greg Freemyer wrote:
Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.
--- I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you.
Correct, but it hadn't change in 3 years I assume. That's when I setup the server. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/07/2016 09:59 PM, Greg Freemyer wrote:
Correct, but it hadn't change in 3 years I assume. That's when I setup the server.
I guess you're the same as me, virtually static DHCP address. Mine also changes rarely, usually as a result of a hardware change, but also if there's a significant network change. It changed about 6 months ago, when my ISP started offering IPv6. My IPv4 address went to a completely different address range. It used to start with 99, IIRC, now it's 174. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/07/2016 06:59 PM, Greg Freemyer wrote:
On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh
wrote: Greg Freemyer wrote:
Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.
--- I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you.
Correct, but it hadn't change in 3 years I assume. That's when I setup the server.
But that leaves me wondering... Server in the cloud Variable IP How do you find it? How do the users of such a cloud find it? Does cloud service supply some kind of dns service? Can't you add a FQDN to fail2ban instead of an IP? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2016 09:43 AM, John Andersen wrote:
On 11/07/2016 06:59 PM, Greg Freemyer wrote:
On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh
wrote: Greg Freemyer wrote:
Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.
I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you. Correct, but it hadn't change in 3 years I assume. That's when I setup the server.
But that leaves me wondering... Server in the cloud Variable IP How do you find it? How do the users of such a cloud find it? Does cloud service supply some kind of dns service?
Can't you add a FQDN to fail2ban instead of an IP?
I'm confused. I assumed that OP's home IP changed. Your cloudy server changing IP is a completely different issue, right? But using a FQDN for access would open up possible security and DOS issues, wouldn't it? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang
On 11/08/2016 09:43 AM, John Andersen wrote:
On 11/07/2016 06:59 PM, Greg Freemyer wrote:
On Mon, Nov 7, 2016 at 9:43 PM, Linda Walsh
wrote: Greg Freemyer wrote:
Apparently my ISP changed my IP and I had made a typo or two in my password since the IP change.
--- I take it you don't have fixed IP? Since if you did, that would be real weird just to have your IP changed out from under you.
Correct, but it hadn't change in 3 years I assume. That's when I setup the server.
But that leaves me wondering... Server in the cloud Variable IP How do you find it? How do the users of such a cloud find it? Does cloud service supply some kind of dns service?
Can't you add a FQDN to fail2ban instead of an IP?
I'm confused. I assumed that OP's home IP changed. Your cloudy server changing IP is a completely different issue, right?
Lew is right. The cloud based server is a VM I rent. It has a static IP that has never changed. In the fail2ban config on that server I have: ignoreip = 1.2.3.4 where that would be my home IP. That means no matter how often I fat finger the password when working at my house and trying to connect to the server via SSH it doesn't lock me out. Several days ago, I got locked out. I logged into the server via a "console" login provided by the VM provider. It is basically only used for emergency access to the server when it won't boot, etc. Using the emergency login feature, I changed the ignoreip IP to my new home IP and I can now ssh in again.
But using a FQDN for access would open up possible security and DOS issues, wouldn't it?
I have no firewall holes in my home router. All socket initiation is outbound.
Regards, Lew
Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2016 10:28 AM, Greg Freemyer wrote:
Lew is right. The cloud based server is a VM I rent. It has a static IP that has never changed.
Ahh, that is the part I missread in my pre-coffee stupor. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2016 10:28 AM, Greg Freemyer wrote:
But using a FQDN for access would open up possible security and DOS
issues, wouldn't it? I have no firewall holes in my home router. All socket initiation is outbound.
Hi Greg, I was thinking with regard to the cloud server. Using DNS for access control is risky on a number of different fronts. BTW, I disable username/password on my remote ssh servers and use only my pre-placed public key. Regards, Lew -- "When a government enforces lawlessness it is no longer a government of the people. It is a tyranny." -- P Gendron -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2016 10:37 AM, Lew Wolfgang wrote:
BTW, I disable username/password on my remote ssh servers and use only my pre-placed public key.
Me too.. And even then I move ssh off of port 22 just to keep the logs clean of script kiddie attempts. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Nov 8, 2016 at 1:39 PM, John Andersen
On 11/08/2016 10:37 AM, Lew Wolfgang wrote:
BTW, I disable username/password on my remote ssh servers and use only my pre-placed public key.
Me too..
And even then I move ssh off of port 22 just to keep the logs clean of script kiddie attempts.
I should do both of those as well, but fail2ban keeps the logs pretty clean. But I don't really keep anything secret on that server. It's mostly for my company website that gets dozens of hits a day! Anything of value there is inside an encrypted ZIP file. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 11/08/2016 10:37 AM, Lew Wolfgang wrote:
BTW, I disable username/password on my remote ssh servers and use only my pre-placed public key.
Me too..
And even then I move ssh off of port 22 just to keep the logs clean of script kiddie attempts.
Ditto. Best thing I ever did. -- Per Jessen, Zürich (3.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-11-08 19:28, Greg Freemyer wrote:
On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang
wrote: On 11/08/2016 09:43 AM, John Andersen wrote:
Can't you add a FQDN to fail2ban instead of an IP?
...
In the fail2ban config on that server I have:
ignoreip = 1.2.3.4 where that would be my home IP.
The doubt is whether you could place there the DNS name of your home IP, not the IP itself. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Wednesday, 9 November 2016 3:51:58 AM ACDT Carlos E. R. wrote:
On 2016-11-08 19:28, Greg Freemyer wrote:
On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang
wrote: On 11/08/2016 09:43 AM, John Andersen wrote:
Can't you add a FQDN to fail2ban instead of an IP?
...
In the fail2ban config on that server I have:
ignoreip = 1.2.3.4 where that would be my home IP.
The doubt is whether you could place there the DNS name of your home IP, not the IP itself.
I was thinking the same thing. If you use a dynamic DNS service for your home IP then you could use the FQDN of your home connection in the fail2ban config, if that is supported. I do see an issue with that, though - every connection attempt would trigger a reverse DNS lookup to get the hostname associated with the source IP address, which would consume a lot of resources, both on the host running fail2ban and lots of unnecessary DNS requests (especially in the case of a botnet attack from lots of spoofed IP addresses). Regards, Rodney. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ============================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-11-12 13:30, Rodney Baker wrote:
On Wednesday, 9 November 2016 3:51:58 AM ACDT Carlos E. R. wrote:
On 2016-11-08 19:28, Greg Freemyer wrote:
On Tue, Nov 8, 2016 at 12:53 PM, Lew Wolfgang
wrote: On 11/08/2016 09:43 AM, John Andersen wrote:
Can't you add a FQDN to fail2ban instead of an IP?
...
In the fail2ban config on that server I have:
ignoreip = 1.2.3.4 where that would be my home IP.
The doubt is whether you could place there the DNS name of your home IP, not the IP itself.
I was thinking the same thing. If you use a dynamic DNS service for your home IP then you could use the FQDN of your home connection in the fail2ban config, if that is supported.
I do see an issue with that, though - every connection attempt would trigger a reverse DNS lookup to get the hostname associated with the source IP address, which would consume a lot of resources, both on the host running fail2ban and lots of unnecessary DNS requests (especially in the case of a botnet attack from lots of spoofed IP addresses).
Ah. Ok. Two solutions. One is running a local DNS cache, like dnsmasq. It is possible that fail2ban doesn't accept names for that very reason. Then the trick is to edit that file with a cronjob that finds the current IP address of the home machine and updates the config if it changed. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/12/2016 at 6:30 AM, in message <3146792.EM6LgxBu0x@mako.vk5ztv.ampr.org>, Rodney Baker
wrote:
I was thinking the same thing. If you use a dynamic DNS service for your home IP then you could use the FQDN of your home connection in the fail2ban config, if that is supported.
Well, I'd be cautionary about that as well -- I had something similar to that set up with my home environment, with the dynamic DNS hosted by namecheap, since I could maintain the entries via API calls. But something weird happened to one of their DNS servers (out of the 6,) and any requests for my DNS entries that hit that server were being redirected to a random host in some other country (India I think...??) It took a long time working with one of the reps there for them to acknowledge that there was an issue, but it still wasn't resolved after a few days. So I moved my DNS config back to Network Solutions (my domain registrar.) So I'd be cautionary about relying on dynamic DNS. Maybe some sort of automatic SSH script that logs into your server using a shared key, and updates like /etc/hosts to reflect your current home IP? Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (9)
-
Carlos E. R.
-
Christopher Myers
-
Greg Freemyer
-
James Knott
-
John Andersen
-
Lew Wolfgang
-
Linda Walsh
-
Per Jessen
-
Rodney Baker