Closed ivomarino closed 6 years ago
commit https://github.com/ttssdev/appflow/commit/de8258c2e82f97742a0a945bcc95f9d956c9076a introduces initial support for fail2ban
(Debian family). Has been tested on atlantis
, after 6 times assh sockets flush ; ssh -l foo atlantis
the IP has been banned correctly:
2017-03-31 14:48:22,679 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2017-03-31 14:48:22,679 fail2ban.jail : INFO Creating new jail 'ssh'
2017-03-31 14:48:22,705 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2017-03-31 14:48:22,719 fail2ban.jail : INFO Initiated 'pyinotify' backend
2017-03-31 14:48:22,722 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2017-03-31 14:48:22,723 fail2ban.filter : INFO Set maxRetry = 6
2017-03-31 14:48:22,724 fail2ban.filter : INFO Set findtime = 600
2017-03-31 14:48:22,724 fail2ban.actions: INFO Set banTime = 600
2017-03-31 14:48:22,746 fail2ban.jail : INFO Jail 'ssh' started
2017-03-31 14:53:12,302 fail2ban.actions: WARNING [ssh] Ban 192.168.80.1
new HAProxy
SSL settings:
EECDH+AESGCM:EDH+AESGCM:EECDH+AES256:EDH+AES256:EECDH+AES128:EDH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!EXPORT:!MEDIUM:!MD5:!PSK:!RSAPSK:!SRP:!DSS:!CAMELLIA:!RC4:!3DES
ssdh
settings must be tuned for higher security standards, will be developed in branch 38-sshd-hardening. Features we want to add:AllowUsers
.fail2ban
.DSA
andECDSA
.DH 1024 Bit
andECDH
.Arcfour
,3DES
andCBC-Ciphers
.MD5
,SHA1
,<128 Bit
.3DES
,!3DES in OpenSSL
.Test can be done with
ssh-audit
. Example settings: