[Savannah-hackers-public] Re: ssh logins to lists.gnu.org

[Sylvain Beucler]

Hi,

Well, if we can access fencepost through SSH, why is it a problem to
access lists through SSH? :)

The fact the computer is old means brute force attack will take more
time, so I'm not sure I understand the problem. Do you mean the distro
is out of sync and you need a couple months to deal with an unsecure
setup?

(Btw, if you want to avoid SSH brute force you might want to have a
look at 'fail2ban' (which is incidentally installed at Savannah :)))

Cheers,

-- 
Sylvain


On Wed, Jan 21, 2009 at 03:04:08PM -0500, Ward Vandewege wrote:
> On Wed, Jan 21, 2009 at 08:44:24PM +0100, Sylvain Beucler wrote:
> > Yes, all those people are Savannah Hackers (except maybe Patrick,
> > though there's no reason to revoke his access as of now).
> 
> OK, thanks for confirming that.
> 
> > Do you *really* want to introduce IP-based restrictions? This kind of
> > thing is a major inconvenience.
> 
> I understand it can be inconvenient if you don't have access to a machine
> with a fixed IP. Is that the problem? If so, we could allow access from
> fencepost, for instance.
> 
> If the inconvenience is simply having to jump through a machine to get to
> lists, you could use a .ssh/config stanza like this to automate it:
> 
>  Host lists
>    ProxyCommand ssh address@hidden -C $SSH_PROXY_FLAGS nc -w60 lists.gnu.org 
> 22
>    User lists
> 
> Or are there other reasons why this is a major inconvenience?
> 
> We've seen a lot of ssh brute force attacks lately, and as you know lists is
> not the most modern system. We're going to do something about that: we are
> currently waiting for replacement hardware. In the mean time, we think it is
> still wise to avoid the whole ssh brute forcing problem by not making the
> port accessible from the whole internet to start out with.
> 
> Does that make sense?