[Box Backup] Advice for users of Debian-derived systems affected by the OpenSSL fiasco -- assume compromise of all data

Peter Jalajas, GigaLock Backup Services boxbackup@fluffy.co.uk
Mon, 19 May 2008 16:21:42 -0400


Thanks for the input everyone.

fail2ban looks like the lightest solution.

Shorewall, denyhosts, and portsentry are good well-known tools,
although I think more complicated.  Snort came up on my research this
morning as another well-known, but complicated, option.

Another interesting simple-looking trick that might work, derived
from:  http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
would be some variant of:
sudo iptables -A INPUT -i eth0 -p tcp --dport 2201 -m state --state
NEW -m recent --set --name BoxBackup
sudo iptables -A INPUT -i eth0 -p tcp --dport 2201 -m state --state
NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name
BoxBackup -j DROP

I've read this morning that ssh is quite resistant to brute-force
attacks because of the delay between password prompts (not sure if
that applies to publickey logins).  Does Box Backup have a similar
feature to insert a delay between login attempts from a client?  If
so, is it configurable?  And if not, should I put it on the Feature
Request page (something like,
DelayBetweenClientLoginAttempts=60S (S=Seconds, M=Minutes, H=Hours)?

Although I'd hate to have to add and manage a whole 'nother
application on my systems simply to prevent brute force attacks
against Box Backup, they're probably worth it in the long-run. But
it'd be simpler, and I guess thus safer and cleaner, to have this
little feature within Box Backup itself.

Thanks again, everyone,
Pete