Обсуждение: What's going on with pgfoundry?
Today I noticed I cannot login to cvs.pgfoundry.org anymore since the IP address has been changed am asked password which seems to be changed. So I cannot use CVS any more. Does anybody why this happens and how to fix it? -- Tatsuo Ishii SRA OSS, Inc. Japan
On Wed, Nov 26, 2008 at 2:43 PM, Tatsuo Ishii <ishii@postgresql.org> wrote: > Today I noticed I cannot login to cvs.pgfoundry.org anymore since the > IP address has been changed am asked password which seems to be > changed. So I cannot use CVS any more. Does anybody why this happens > and how to fix it? It's the same IP address - but try port 35 for ssh. Marc changed it (temporarily) due to a vast number of malicious connection attempts. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com
On Wed, 26 Nov 2008, Dave Page wrote: > > It's the same IP address - but try port 35 for ssh. Marc changed it > (temporarily) due to a vast number of malicious connection attempts. > Why wasn't this change communicated to anyone, not even gforge-admins? How temporary is temporary? Kris Jurka
Kris Jurka wrote: > > > On Wed, 26 Nov 2008, Dave Page wrote: > >> >> It's the same IP address - but try port 35 for ssh. Marc changed it >> (temporarily) due to a vast number of malicious connection attempts. >> > > Why wasn't this change communicated to anyone, not even gforge-admins? > How temporary is temporary? > > Kris Jurka > I can't speak to the administrative and communications aspects, but based on my experience, I can recommend communicating to the appropriate users and making the change permanent. I have changed the external ssh port on all machines I administer. The result is the complete elimination of the previous hundreds to thousands of daily script-kiddie brute-force attempts I used to see. Obscurity should not be your *only* line of defense, but camouflage helps as well. And even if it didn't, it still reduces server-load, bandwidth and heaps of logfile cruft. Cheers, Steve
On Wed, 26 Nov 2008, Steve Crawford wrote: > Obscurity should not be your *only* line of defense, but camouflage > helps as well. And even if it didn't, it still reduces server-load, > bandwidth and heaps of logfile cruft. In order case, thankfully, there was minimal banwidth impact, but the server load on some of the machines was to the point of unusability ... again, thankfully, that didn't manifest it self on any of the postgresql servers, but we didn't want to take any chances of it bleeding over ... ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664
Steve Crawford wrote: > > I have changed the external ssh port on all machines I administer. The > result is the complete elimination of the previous hundreds to thousands > of daily script-kiddie brute-force attempts I used to see. > > > +1 We have not used port 22 in our production network for years; for all the same reasons. Although its only obfuscation, it works. -- Andrew Chernow eSilo, LLC every bit counts http://www.esilo.com/
On Wed, Nov 26, 2008 at 10:51:23AM -0800, Steve Crawford wrote: > Kris Jurka wrote: >> On Wed, 26 Nov 2008, Dave Page wrote: >> >>> It's the same IP address - but try port 35 for ssh. Marc changed >>> it (temporarily) due to a vast number of malicious connection >>> attempts. >> >> Why wasn't this change communicated to anyone, not even >> gforge-admins? How temporary is temporary? >> >> Kris Jurka >> > I can't speak to the administrative and communications aspects, but > based on my experience, I can recommend communicating to the > appropriate users and making the change permanent. We should move to a port-knocking <http://dotancohen.com/howto/portknocking.html> or other modern strategy if we're going to move at all. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
David Fetter wrote: > > > We should move to a port-knocking > <http://dotancohen.com/howto/portknocking.html> or other modern > strategy if we're going to move at all. > > Yeah, but telling my firewall to move port 22 inside to port xxxx outside took less time than writing this email. Inside the firewall plain old ssh continues to work fine and I don't have to deal with issues of forwarding additional ports through the firewall, mucking with iptables rules, etc. For my servers, moving outside access to a non-standard port has proven 100% effective for over a year so additional complexity hasn't been warranted. Cheers, Steve
On Wed, 2008-11-26 at 13:57 -0800, Steve Crawford wrote: > David Fetter wrote: > > > > > > We should move to a port-knocking > > <http://dotancohen.com/howto/portknocking.html> or other modern > > strategy if we're going to move at all. > > > > > Yeah, but telling my firewall to move port 22 inside to port xxxx > outside took less time than writing this email. Inside the firewall > plain old ssh continues to work fine and I don't have to deal with > issues of forwarding additional ports through the firewall, mucking with > iptables rules, etc. > > For my servers, moving outside access to a non-standard port has proven > 100% effective for over a year so additional complexity hasn't been > warranted. Since were chatting :P. My vote would be to move everything back to port 22 and force key based auth only. Joshua D. Drake > > Cheers, > Steve > > -- PostgreSQL Consulting, Development, Support, Training 503-667-4564 - http://www.commandprompt.com/ The PostgreSQL Company,serving since 1997
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Wednesday, November 26, 2008 14:00:59 -0800 "Joshua D. Drake" <jd@commandprompt.com> wrote: > Since were chatting :P. My vote would be to move everything back to port > 22 and force key based auth only. How does that work? Does that kill the script kiddies in their tracks? I'm guessing so, but had never thought to try it ... How would someone upload their key if they don't have access? Some sort of web interface? One wouldn't want to throw extra admin overhead if it can be avoided ... - -- Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkktyHIACgkQ4QvfyHIvDvPUFwCfbV3QhjxF3kA7szsTeZp5ZIm8 AfUAn3NiwLA9r0hhs3camv4GstIpcJil =I4+l -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > How would someone upload their key if they don't have access? Some sort of web > interface? One wouldn't want to throw extra admin overhead if it can be > avoided ... pgfoundry already has a web interface for uploading SSH keys. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
Marc G. Fournier wrote: > >> Since were chatting :P. My vote would be to move everything back to port >> 22 and force key based auth only. > > How does that work? Does that kill the script kiddies in their tracks? I'm > guessing so, but had never thought to try it ... Depends on where the problem is. AFAIK, it will still go through the initial cryptographic key exchange before it even starts talking about auth methods. However, if the problem is that they are trying many different passwords *over the same connection*, it should fix the problem. I suggested this long ago for our servers in general (for other reasons), but was voted down at the time. Can't remember why though :-) This was around the same time I proposed we should not allow remote root logins... > How would someone upload their key if they don't have access? Some sort of web > interface? One wouldn't want to throw extra admin overhead if it can be > avoided ... IIRC, you can already upload your key using the gforge web interface if you want to - it's just not mandatory. //Magnus
On Wed, 2008-11-26 at 18:06 -0400, Marc G. Fournier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Since were chatting :P. My vote would be to move everything back to port > > 22 and force key based auth only. > > How does that work? Does that kill the script kiddies in their tracks? I'm > guessing so, but had never thought to try it ... > Well they can still talk to the port of course but its irrelevant because unless they have an ssh key, they aren't getting in. Period. > How would someone upload their key if they don't have access? Some sort of web > interface? One wouldn't want to throw extra admin overhead if it can be > avoided ... > See other comment on this. Joshua D. Drake -- PostgreSQL Consulting, Development, Support, Training 503-667-4564 - http://www.commandprompt.com/ The PostgreSQL Company,serving since 1997
Joshua D. Drake wrote: > On Wed, 2008-11-26 at 18:06 -0400, Marc G. Fournier wrote: > >> >>> Since were chatting :P. My vote would be to move everything back to port >>> 22 and force key based auth only. >>> >> How does that work? Does that kill the script kiddies in their tracks? I'm >> guessing so, but had never thought to try it ... >> >> > > Well they can still talk to the port of course but its irrelevant... > > Not really. My servers don't allow remote root ssh access at all. But all the failed script-kiddie attempts really hose the log files to say nothing about wasting my bandwidth. Cheers, Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Wednesday, November 26, 2008 14:12:42 -0800 "Joshua D. Drake" <jd@commandprompt.com> wrote: > Well they can still talk to the port of course but its irrelevant > because unless they have an ssh key, they aren't getting in. Period. Well, they weren't getting in before ... i twas the massive flood of attempts that was hurting :) - -- Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkktzlcACgkQ4QvfyHIvDvMTVwCeJeEMXlp1IUQwl6yFejsabAJc BlkAn1BYToJyJ0i3wMxpQm9SNeW9LAu2 =EmfE -----END PGP SIGNATURE-----
"Marc G. Fournier" <scrappy@hub.org> writes:
> <jd@commandprompt.com> wrote:
>> Well they can still talk to the port of course but its irrelevant
>> because unless they have an ssh key, they aren't getting in. Period.
> Well, they weren't getting in before ... i twas the massive flood of attempts
> that was hurting :)
Yeah. So having a more secure login API won't help that a bit.
I don't have a problem with moving the ssh support to a nonstandard
port, but I do have a problem with the lack of notification about it.
Even core found out the hard way.
regards, tom lane
Marc G. Fournier wrote: > - --On Wednesday, November 26, 2008 14:12:42 -0800 "Joshua D. Drake" > <jd@commandprompt.com> wrote: > > > Well they can still talk to the port of course but its irrelevant > > because unless they have an ssh key, they aren't getting in. Period. > > Well, they weren't getting in before ... i twas the massive flood of attempts > that was hurting :) It should be easy to block the IPs that cause too many failures, like fail2ban does in Linux using iptables. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Wednesday, November 26, 2008 17:42:12 -0500 Tom Lane <tgl@sss.pgh.pa.us> wrote: > "Marc G. Fournier" <scrappy@hub.org> writes: >> <jd@commandprompt.com> wrote: >>> Well they can still talk to the port of course but its irrelevant >>> because unless they have an ssh key, they aren't getting in. Period. > >> Well, they weren't getting in before ... i twas the massive flood of attempts >> that was hurting :) > > Yeah. So having a more secure login API won't help that a bit. > > I don't have a problem with moving the ssh support to a nonstandard > port, but I do have a problem with the lack of notification about it. > Even core found out the hard way. I just moved pgfoundry back to port 22, sinc eout of all of them, I believe that one had the largest impact ... I would still like to move it back to 35 ... Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkt1b4ACgkQ4QvfyHIvDvPV1QCgyJBxAAPznvT8CK5Hx6Dj20Jy BqoAoLAqPZfE6L7uANeHNrpavXZ7L0bt =o3iw -----END PGP SIGNATURE-----