[Box Backup] Advice for users of Debian-derived systems affected by the OpenSSL fiasco -- assume compromise of all data

Peter Jalajas, GigaLock Backup Services boxbackup@fluffy.co.uk
Mon, 19 May 2008 09:36:33 -0400


Thanks for your timely instructions, Ben.  They helped a lot. This
issue really hurt me this week.

This week, it's Debian, next week, who knows.  Presuming that this
won't be the last time we need to update keys, and maybe it's good
security policy anyway, does anyone out there know of a way to slow
down brute force attacks on our Box Backup servers?

I'm thinking along the lines of using tricks like port knocking, like, put a
KnockSequence=12345,13456,14567,2201
option in bbackupd.conf)
or
csf/lfd (http://www.configserver.com/cp/csf.html) which blocks source
IPs after a number of failed logins, or limits logins per hour, like,
put
LoginFailuresLimitPerClientPerHour=10
LoginFailuresBlockClientDuration=6H (M=minutes, H=hours, D=days)
MaxLoginsPerClientPerHour=2
options in bbstored.conf).

If these ideas aren't totally silly for some reason, I can put them on
the Features Request page--let me know.

Or is there something I can do on my Ubuntu/Debian OS firewall?  Can
Box Backup be plugged into something like csf/lfd?

Thanks,
Pete