Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
Advanced search tips 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Fail2ban deployment to address recent Kerberos/authentication issues

Day/Date: Thursday, January 19, 2012

Service Affected: Facilitzed and Supported Linux Hosts


On Thursday evening, January 19, 2012 SCS Computing Facilities will deploy an additional measure to combat the recent flood of SSH scans that have been negatively impacting the performance of our Kerberos authentication servers.

A piece of software called 'fail2ban' will be deployed to all Linux Facilitized and Dragon systems. This software looks for authentication failures in the host's log files and will temporarily ban IP addresses of those systems that are repeated offenders.

On Facilitized Linux systems, the software and configuration will be distributed via dosupdepot as usual, and supports the use of '.local' configuration files for overriding the defaults. If you have previously installed fail2ban it is recommended that you take advantage of this '.local' configuration option to preserve your specific fail2ban configuration information. Once the distribution has been released, any fail2ban configuration information not copied to a .local version may be overwritten.

On Dragon systems, the vendor's software package and standard configs will be installed, and the vendor's mechanisms for locally maintaining custom configuration overrides can be used as normal.

Please contact or call the SCS Help Desk (x8-4231) if you have questions or problems with applying these patches.

Thank you for your attention,

SCS Help Desk