What's going on with pgfoundry?
Today I noticed I cannot login to cvs.pgfoundry.org anymore since the
IP address has been changed am asked password which seems to be
changed. So I cannot use CVS any more. Does anybody why this happens
and how to fix it?
--
Tatsuo Ishii
SRA OSS, Inc. Japan
On Wed, Nov 26, 2008 at 2:43 PM, Tatsuo Ishii <ishii@postgresql.org> wrote:
Today I noticed I cannot login to cvs.pgfoundry.org anymore since the
IP address has been changed am asked password which seems to be
changed. So I cannot use CVS any more. Does anybody why this happens
and how to fix it?
It's the same IP address - but try port 35 for ssh. Marc changed it
(temporarily) due to a vast number of malicious connection attempts.
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
On Wed, 26 Nov 2008, Dave Page wrote:
It's the same IP address - but try port 35 for ssh. Marc changed it
(temporarily) due to a vast number of malicious connection attempts.
Why wasn't this change communicated to anyone, not even gforge-admins?
How temporary is temporary?
Kris Jurka
Kris Jurka wrote:
On Wed, 26 Nov 2008, Dave Page wrote:
It's the same IP address - but try port 35 for ssh. Marc changed it
(temporarily) due to a vast number of malicious connection attempts.Why wasn't this change communicated to anyone, not even gforge-admins?
How temporary is temporary?Kris Jurka
I can't speak to the administrative and communications aspects, but
based on my experience, I can recommend communicating to the appropriate
users and making the change permanent.
I have changed the external ssh port on all machines I administer. The
result is the complete elimination of the previous hundreds to thousands
of daily script-kiddie brute-force attempts I used to see.
Obscurity should not be your *only* line of defense, but camouflage
helps as well. And even if it didn't, it still reduces server-load,
bandwidth and heaps of logfile cruft.
Cheers,
Steve
On Wed, 26 Nov 2008, Steve Crawford wrote:
Obscurity should not be your *only* line of defense, but camouflage
helps as well. And even if it didn't, it still reduces server-load,
bandwidth and heaps of logfile cruft.
In order case, thankfully, there was minimal banwidth impact, but the
server load on some of the machines was to the point of unusability ...
again, thankfully, that didn't manifest it self on any of the postgresql
servers, but we didn't want to take any chances of it bleeding over ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
Steve Crawford wrote:
I have changed the external ssh port on all machines I administer. The
result is the complete elimination of the previous hundreds to thousands
of daily script-kiddie brute-force attempts I used to see.
+1
We have not used port 22 in our production network for years; for all
the same reasons. Although its only obfuscation, it works.
--
Andrew Chernow
eSilo, LLC
every bit counts
http://www.esilo.com/
On Wed, Nov 26, 2008 at 10:51:23AM -0800, Steve Crawford wrote:
Kris Jurka wrote:
On Wed, 26 Nov 2008, Dave Page wrote:
It's the same IP address - but try port 35 for ssh. Marc changed
it (temporarily) due to a vast number of malicious connection
attempts.Why wasn't this change communicated to anyone, not even
gforge-admins? How temporary is temporary?Kris Jurka
I can't speak to the administrative and communications aspects, but
based on my experience, I can recommend communicating to the
appropriate users and making the change permanent.
We should move to a port-knocking
<http://dotancohen.com/howto/portknocking.html> or other modern
strategy if we're going to move at all.
Cheers,
David.
--
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david.fetter@gmail.com
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
David Fetter wrote:
We should move to a port-knocking
<http://dotancohen.com/howto/portknocking.html> or other modern
strategy if we're going to move at all.
Yeah, but telling my firewall to move port 22 inside to port xxxx
outside took less time than writing this email. Inside the firewall
plain old ssh continues to work fine and I don't have to deal with
issues of forwarding additional ports through the firewall, mucking with
iptables rules, etc.
For my servers, moving outside access to a non-standard port has proven
100% effective for over a year so additional complexity hasn't been
warranted.
Cheers,
Steve
On Wed, 2008-11-26 at 13:57 -0800, Steve Crawford wrote:
David Fetter wrote:
We should move to a port-knocking
<http://dotancohen.com/howto/portknocking.html> or other modern
strategy if we're going to move at all.Yeah, but telling my firewall to move port 22 inside to port xxxx
outside took less time than writing this email. Inside the firewall
plain old ssh continues to work fine and I don't have to deal with
issues of forwarding additional ports through the firewall, mucking with
iptables rules, etc.For my servers, moving outside access to a non-standard port has proven
100% effective for over a year so additional complexity hasn't been
warranted.
Since were chatting :P. My vote would be to move everything back to port
22 and force key based auth only.
Joshua D. Drake
Cheers,
Steve
--
PostgreSQL
Consulting, Development, Support, Training
503-667-4564 - http://www.commandprompt.com/
The PostgreSQL Company, serving since 1997
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Wednesday, November 26, 2008 14:00:59 -0800 "Joshua D. Drake"
<jd@commandprompt.com> wrote:
Since were chatting :P. My vote would be to move everything back to port
22 and force key based auth only.
How does that work? Does that kill the script kiddies in their tracks? I'm
guessing so, but had never thought to try it ...
How would someone upload their key if they don't have access? Some sort of web
interface? One wouldn't want to throw extra admin overhead if it can be
avoided ...
- --
Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkktyHIACgkQ4QvfyHIvDvPUFwCfbV3QhjxF3kA7szsTeZp5ZIm8
AfUAn3NiwLA9r0hhs3camv4GstIpcJil
=I4+l
-----END PGP SIGNATURE-----
Import Notes
Resolved by subject fallback
Marc G. Fournier wrote:
How would someone upload their key if they don't have access? Some sort of web
interface? One wouldn't want to throw extra admin overhead if it can be
avoided ...
pgfoundry already has a web interface for uploading SSH keys.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
Marc G. Fournier wrote:
Since were chatting :P. My vote would be to move everything back to port
22 and force key based auth only.How does that work? Does that kill the script kiddies in their tracks? I'm
guessing so, but had never thought to try it ...
Depends on where the problem is. AFAIK, it will still go through the
initial cryptographic key exchange before it even starts talking about
auth methods. However, if the problem is that they are trying many
different passwords *over the same connection*, it should fix the problem.
I suggested this long ago for our servers in general (for other
reasons), but was voted down at the time. Can't remember why though :-)
This was around the same time I proposed we should not allow remote root
logins...
How would someone upload their key if they don't have access? Some sort of web
interface? One wouldn't want to throw extra admin overhead if it can be
avoided ...
IIRC, you can already upload your key using the gforge web interface if
you want to - it's just not mandatory.
//Magnus
On Wed, 2008-11-26 at 18:06 -0400, Marc G. Fournier wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1Since were chatting :P. My vote would be to move everything back to port
22 and force key based auth only.How does that work? Does that kill the script kiddies in their tracks? I'm
guessing so, but had never thought to try it ...
Well they can still talk to the port of course but its irrelevant
because unless they have an ssh key, they aren't getting in. Period.
How would someone upload their key if they don't have access? Some sort of web
interface? One wouldn't want to throw extra admin overhead if it can be
avoided ...
See other comment on this.
Joshua D. Drake
--
PostgreSQL
Consulting, Development, Support, Training
503-667-4564 - http://www.commandprompt.com/
The PostgreSQL Company, serving since 1997
Joshua D. Drake wrote:
On Wed, 2008-11-26 at 18:06 -0400, Marc G. Fournier wrote:
Since were chatting :P. My vote would be to move everything back to port
22 and force key based auth only.How does that work? Does that kill the script kiddies in their tracks? I'm
guessing so, but had never thought to try it ...Well they can still talk to the port of course but its irrelevant...
Not really. My servers don't allow remote root ssh access at all. But
all the failed script-kiddie attempts really hose the log files to say
nothing about wasting my bandwidth.
Cheers,
Steve
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Wednesday, November 26, 2008 14:12:42 -0800 "Joshua D. Drake"
<jd@commandprompt.com> wrote:
Well they can still talk to the port of course but its irrelevant
because unless they have an ssh key, they aren't getting in. Period.
Well, they weren't getting in before ... i twas the massive flood of attempts
that was hurting :)
- --
Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkktzlcACgkQ4QvfyHIvDvMTVwCeJeEMXlp1IUQwl6yFejsabAJc
BlkAn1BYToJyJ0i3wMxpQm9SNeW9LAu2
=EmfE
-----END PGP SIGNATURE-----
"Marc G. Fournier" <scrappy@hub.org> writes:
<jd@commandprompt.com> wrote:
Well they can still talk to the port of course but its irrelevant
because unless they have an ssh key, they aren't getting in. Period.
Well, they weren't getting in before ... i twas the massive flood of attempts
that was hurting :)
Yeah. So having a more secure login API won't help that a bit.
I don't have a problem with moving the ssh support to a nonstandard
port, but I do have a problem with the lack of notification about it.
Even core found out the hard way.
regards, tom lane
Marc G. Fournier wrote:
- --On Wednesday, November 26, 2008 14:12:42 -0800 "Joshua D. Drake"
<jd@commandprompt.com> wrote:Well they can still talk to the port of course but its irrelevant
because unless they have an ssh key, they aren't getting in. Period.Well, they weren't getting in before ... i twas the massive flood of attempts
that was hurting :)
It should be easy to block the IPs that cause too many failures, like
fail2ban does in Linux using iptables.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Wednesday, November 26, 2008 17:42:12 -0500 Tom Lane <tgl@sss.pgh.pa.us>
wrote:
"Marc G. Fournier" <scrappy@hub.org> writes:
<jd@commandprompt.com> wrote:
Well they can still talk to the port of course but its irrelevant
because unless they have an ssh key, they aren't getting in. Period.Well, they weren't getting in before ... i twas the massive flood of attempts
that was hurting :)Yeah. So having a more secure login API won't help that a bit.
I don't have a problem with moving the ssh support to a nonstandard
port, but I do have a problem with the lack of notification about it.
Even core found out the hard way.
I just moved pgfoundry back to port 22, sinc eout of all of them, I believe
that one had the largest impact ... I would still like to move it back to 35 ...
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkkt1b4ACgkQ4QvfyHIvDvPV1QCgyJBxAAPznvT8CK5Hx6Dj20Jy
BqoAoLAqPZfE6L7uANeHNrpavXZ7L0bt
=o3iw
-----END PGP SIGNATURE-----