ssh-issues; can we ask SFU IT to remove ip-banning on failed ssh?

[Bruno Da Silva]

So the cs-cloud servers both are running a tool called fail2ban (https://www.fail2ban.org/wiki/index.php/Main_Page). This utility adds firewall rules to ip ban users who fail to login/ssh after a number of attempts (I think its like, 2 attempts). Normally, this is fine on like the publically-accessible csil cpu servers since if you try to login just YOUR ip will be banned.

However, with the cs-cloud servers we have to use some other servers as jump servers in order to access them. This means if user A ssh's into gateway.sfu.ca and fails to login to cs-cloud-04 multiple times, cs-cloud-04 will temporarily firewall/ban the ip of gateway.sfu.ca from connecting. This has let to numerous times where I or some other students have been unable to ssh into the cloud servers to work on assignments due to another user failing to login.

This, right now, is blocking access for us to connect to cs-cloud-02, for example. 

Since we require a jump server to connect to these cloud servers and cannot directly connect from outside SFU's network, could we ask IT to do one of the following?

- whitelist certain internal servers like gateway.sfu.ca from being ip banned, explained here: https://www.fail2ban.org/wiki/index.php/Whitelist

    - because you have to successfully ssh/authenticate to these servers first anyways!

- disable fail2ban all together (maybe the less ideal approach for security reasons)

[Arrvindh Shriraman]

I have fwd this. We should be able to whitelist internal servers. 

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/93d85508-3058-48b2-9efa-d9e7820fb012%40googlegroups.com.

--

Arrvindh Shriraman
Associate Professor
Computer Science
Simon Fraser University

[Bruno Da Silva]

Thank you :)

On Thursday, March 12, 2020 at 9:27:13 AM UTC-7, Arrvindh Shriraman wrote:

I have fwd this. We should be able to whitelist internal servers. 

On Thu, Mar 12, 2020 at 04:06 Bruno Da Silva <bubb...@gmail.com> wrote:

So the cs-cloud servers both are running a tool called fail2ban (https://www.fail2ban.org/wiki/index.php/Main_Page). This utility adds firewall rules to ip ban users who fail to login/ssh after a number of attempts (I think its like, 2 attempts). Normally, this is fine on like the publically-accessible csil cpu servers since if you try to login just YOUR ip will be banned.

However, with the cs-cloud servers we have to use some other servers as jump servers in order to access them. This means if user A ssh's into gateway.sfu.ca and fails to login to cs-cloud-04 multiple times, cs-cloud-04 will temporarily firewall/ban the ip of gateway.sfu.ca from connecting. This has let to numerous times where I or some other students have been unable to ssh into the cloud servers to work on assignments due to another user failing to login.

This, right now, is blocking access for us to connect to cs-cloud-02, for example. 

Since we require a jump server to connect to these cloud servers and cannot directly connect from outside SFU's network, could we ask IT to do one of the following?

- whitelist certain internal servers like gateway.sfu.ca from being ip banned, explained here: https://www.fail2ban.org/wiki/index.php/Whitelist

    - because you have to successfully ssh/authenticate to these servers first anyways!

- disable fail2ban all together (maybe the less ideal approach for security reasons)

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems-sfu+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/93d85508-3058-48b2-9efa-d9e7820fb012%40googlegroups.com.

[Vijender Bakhshi]

In 5 minutes I'll be attending an IT council meeting, I can bring this up if you'd like. 

On Thu, Mar 12, 2020, 9:28 AM Bruno Da Silva <bubb...@gmail.com> wrote:

Thank you :)

On Thursday, March 12, 2020 at 9:27:13 AM UTC-7, Arrvindh Shriraman wrote:

I have fwd this. We should be able to whitelist internal servers. 

On Thu, Mar 12, 2020 at 04:06 Bruno Da Silva <bubb...@gmail.com> wrote:

So the cs-cloud servers both are running a tool called fail2ban (https://www.fail2ban.org/wiki/index.php/Main_Page). This utility adds firewall rules to ip ban users who fail to login/ssh after a number of attempts (I think its like, 2 attempts). Normally, this is fine on like the publically-accessible csil cpu servers since if you try to login just YOUR ip will be banned.

However, with the cs-cloud servers we have to use some other servers as jump servers in order to access them. This means if user A ssh's into gateway.sfu.ca and fails to login to cs-cloud-04 multiple times, cs-cloud-04 will temporarily firewall/ban the ip of gateway.sfu.ca from connecting. This has let to numerous times where I or some other students have been unable to ssh into the cloud servers to work on assignments due to another user failing to login.

This, right now, is blocking access for us to connect to cs-cloud-02, for example. 

Since we require a jump server to connect to these cloud servers and cannot directly connect from outside SFU's network, could we ask IT to do one of the following?

- whitelist certain internal servers like gateway.sfu.ca from being ip banned, explained here: https://www.fail2ban.org/wiki/index.php/Whitelist

    - because you have to successfully ssh/authenticate to these servers first anyways!

- disable fail2ban all together (maybe the less ideal approach for security reasons)

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/93d85508-3058-48b2-9efa-d9e7820fb012%40googlegroups.com.

--

Arrvindh Shriraman
Associate Professor
Computer Science
Simon Fraser University

--

You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/5db14df5-d29f-4f28-8798-5bb1b755b66c%40googlegroups.com.

[Arrvindh Shriraman]

Please do. I am trying to modify it myself; hopefully they wont overwrite it in the future.

Arrvindh Shriraman
Associate Professor
Computer Science
Simon Fraser University

To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/CAPXn-AMNfAbSJXxU72aDntpJryJuT7PhicML%2Bfy0uU5XimdvMw%40mail.gmail.com.

[Arrvindh Shriraman]

I have updated for linux.cs.sfu.ca and 

csil-cpu10.csil.sfu.ca If there is any other gateway server folks are using (please direct message me the ip address of those machines).

On Thursday, March 12, 2020 at 9:27:13 AM UTC-7, Arrvindh Shriraman wrote:

I have fwd this. We should be able to whitelist internal servers. 

On Thu, Mar 12, 2020 at 04:06 Bruno Da Silva <bubb...@gmail.com> wrote:

So the cs-cloud servers both are running a tool called fail2ban (https://www.fail2ban.org/wiki/index.php/Main_Page). This utility adds firewall rules to ip ban users who fail to login/ssh after a number of attempts (I think its like, 2 attempts). Normally, this is fine on like the publically-accessible csil cpu servers since if you try to login just YOUR ip will be banned.

However, with the cs-cloud servers we have to use some other servers as jump servers in order to access them. This means if user A ssh's into gateway.sfu.ca and fails to login to cs-cloud-04 multiple times, cs-cloud-04 will temporarily firewall/ban the ip of gateway.sfu.ca from connecting. This has let to numerous times where I or some other students have been unable to ssh into the cloud servers to work on assignments due to another user failing to login.

This, right now, is blocking access for us to connect to cs-cloud-02, for example. 

Since we require a jump server to connect to these cloud servers and cannot directly connect from outside SFU's network, could we ask IT to do one of the following?

- whitelist certain internal servers like gateway.sfu.ca from being ip banned, explained here: https://www.fail2ban.org/wiki/index.php/Whitelist

    - because you have to successfully ssh/authenticate to these servers first anyways!

- disable fail2ban all together (maybe the less ideal approach for security reasons)

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems-sfu+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/93d85508-3058-48b2-9efa-d9e7820fb012%40googlegroups.com.

[VJ]

Update on IT meeting. I asked the meeting chair if it was the correct place to bring it up, they said not really. So nothings gonna come of this, but it seems you've got it under control. 

On Thursday, March 12, 2020 at 11:20:05 AM UTC-7, Arrvindh Shriraman wrote:

Please do. I am trying to modify it myself; hopefully they wont overwrite it in the future.

Arrvindh Shriraman
Associate Professor
Computer Science
Simon Fraser University

On Thu, Mar 12, 2020 at 10:55 AM Vijender Bakhshi <vijende...@gmail.com> wrote:

In 5 minutes I'll be attending an IT council meeting, I can bring this up if you'd like. 

On Thu, Mar 12, 2020, 9:28 AM Bruno Da Silva <bubb...@gmail.com> wrote:

Thank you :)

On Thursday, March 12, 2020 at 9:27:13 AM UTC-7, Arrvindh Shriraman wrote:

I have fwd this. We should be able to whitelist internal servers. 

On Thu, Mar 12, 2020 at 04:06 Bruno Da Silva <bubb...@gmail.com> wrote:

So the cs-cloud servers both are running a tool called fail2ban (https://www.fail2ban.org/wiki/index.php/Main_Page). This utility adds firewall rules to ip ban users who fail to login/ssh after a number of attempts (I think its like, 2 attempts). Normally, this is fine on like the publically-accessible csil cpu servers since if you try to login just YOUR ip will be banned.

However, with the cs-cloud servers we have to use some other servers as jump servers in order to access them. This means if user A ssh's into gateway.sfu.ca and fails to login to cs-cloud-04 multiple times, cs-cloud-04 will temporarily firewall/ban the ip of gateway.sfu.ca from connecting. This has let to numerous times where I or some other students have been unable to ssh into the cloud servers to work on assignments due to another user failing to login.

This, right now, is blocking access for us to connect to cs-cloud-02, for example. 

Since we require a jump server to connect to these cloud servers and cannot directly connect from outside SFU's network, could we ask IT to do one of the following?

- whitelist certain internal servers like gateway.sfu.ca from being ip banned, explained here: https://www.fail2ban.org/wiki/index.php/Whitelist

    - because you have to successfully ssh/authenticate to these servers first anyways!

- disable fail2ban all together (maybe the less ideal approach for security reasons)

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems-sfu+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/93d85508-3058-48b2-9efa-d9e7820fb012%40googlegroups.com.

--

Arrvindh Shriraman
Associate Professor
Computer Science
Simon Fraser University

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems-sfu+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/parallel-systems-sfu/5db14df5-d29f-4f28-8798-5bb1b755b66c%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Parallel and Distributed Systems at SFU (431)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to parallel-systems-sfu+unsub...@googlegroups.com.

[Bruno Da Silva]

Could you add:

- gateway.sfucloud.ca ( 199.60.17.220 )

- fraser.sfu.ca ( 142.58.101.25 )

Thank you!

[Arrvindh Shriraman]

Try now; they seem to have overwritten

[Bruno Da Silva]

mmm I'm still getting connected refused from gateway, perhaps there's a different, more permanent blocking happening there.

bdasilva@gateway:/$ ssh x...@cs-cloud-02.cs.surrey.sfu.ca

ssh: connect to host cs-cloud-02.cs.surrey.sfu.ca port 22: Connection refused

At least for now, the other servers are working so hopefully this will be fine... I suppose we'll see :)

Thank you!