Admin Notes for SSH Service

Available servers

We provide two SSH servers:

ssh.inf
Accessible by all DICE users. This is currently on bruegel. See external-access-server-student.h for details.
staff.ssh.inf
Accessible by anyone in the login/staffssh/remote netgroup, that includes all staff, visitors and research postgraduate students. This is currently on hare. See external-access-server-staff.h for details.

If a machine dies then the expectation is that a new machine will be installed and the DNS CNAMEs moved as required. If the staff server dies then clearly all users can be directed to use the other server during the period of downtime. If the general server dies then ideally you just quickly install another one (it really doesn't take much time) but if that cannot be done then the LCFG profile for the staff server could be reconfigured. In that case, afterwards when resetting the staff server config you probably want to at least reboot to force all non-staff users to reconnect to the correct server.

There is also a test server - rabbit - which can be used to try out any changes before applying them to the live service.

Resources

These services do not require much in the way of computing power or disk space so we typically put them on old hardware which has previously been used for something else. This means they may be quite old but we've not found that to be a cause of excessive failures.

As these machines are obvious candidates for remote attacks we aim to keep them on real hardware so that any successful intrusion could not jump from the VM to the host.

To ensure users do not accidentally cause a DoS attack on a machine we strictly limit the amount of memory and the number of processes. Occasionally users hit these limits and complain but it's most likely they should have been doing the work somewhere else...

fail2ban

We run fail2ban to monitor the authentication logs and apply bans when there are too many login failures for accounts. Occasionally this causes problems for users who are using the wrong password. To unban an IP address for someone do the following (e.g. IP address is 1.2.3.4):

nsu
fail2ban-client set sshtcpwrap unbanip 1.2.3.4

You can verify this had the desired effect by checking the contents of /etc/hosts.deny

-- StephenQuinney - 21 Jan 2019


This topic: DICE > WebHome > ManagedPlatformUnit > SSHService
Topic revision: r2 - 25 Jan 2019 - 15:23:56 - StephenQuinney
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies