Fail2ban deployment to address recent Kerberos/authentication issues

Day/Date: Thursday, January 19, 2012

Service Affected: Facilitzed and Supported Linux Hosts

Details:

On Thursday evening, January 19, 2012 SCS Computing Facilities will deploy an additional measure to combat the recent flood of SSH scans that have been negatively impacting the performance of our Kerberos authentication servers.

A piece of software called 'fail2ban' will be deployed to all Linux Facilitized and Dragon systems. This software looks for authentication failures in the host's log files and will temporarily ban IP addresses of those systems that are repeated offenders.

On Facilitized Linux systems, the software and configuration will be distributed via dosupdepot as usual, and supports the use of '.local' configuration files for overriding the defaults. If you have previously installed fail2ban it is recommended that you take advantage of this '.local' configuration option to preserve your specific fail2ban configuration information. Once the distribution has been released, any fail2ban configuration information not copied to a .local version may be overwritten.

On Dragon systems, the vendor's software package and standard configs will be installed, and the vendor's mechanisms for locally maintaining custom configuration overrides can be used as normal.

Please contact help@cs.cmu.edu or call the SCS Help Desk (x8-4231) if you have questions or problems with applying these patches.

Thank you for your attention,

SCS Help Desk