Re: What's going on with pgfoundry?

Today I noticed I cannot login to cvs.pgfoundry.org anymore since the
IP address has been changed am asked password which seems to be
changed. So I cannot use CVS any more. Does anybody why this happens
and how to fix it?
--
Tatsuo Ishii
SRA OSS, Inc. Japan

On Wed, Nov 26, 2008 at 2:43 PM, Tatsuo Ishii <ishii(at)postgresql(dot)org> wrote:
> Today I noticed I cannot login to cvs.pgfoundry.org anymore since the
> IP address has been changed am asked password which seems to be
> changed. So I cannot use CVS any more. Does anybody why this happens
> and how to fix it?

It's the same IP address - but try port 35 for ssh. Marc changed it
(temporarily) due to a vast number of malicious connection attempts.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com

On Wed, 26 Nov 2008, Dave Page wrote:

>
> It's the same IP address - but try port 35 for ssh. Marc changed it
> (temporarily) due to a vast number of malicious connection attempts.
>

Why wasn't this change communicated to anyone, not even gforge-admins?
How temporary is temporary?

Kris Jurka

Kris Jurka wrote:
>
>
> On Wed, 26 Nov 2008, Dave Page wrote:
>
>>
>> It's the same IP address - but try port 35 for ssh. Marc changed it
>> (temporarily) due to a vast number of malicious connection attempts.
>>
>
> Why wasn't this change communicated to anyone, not even gforge-admins?
> How temporary is temporary?
>
> Kris Jurka
>
I can't speak to the administrative and communications aspects, but
based on my experience, I can recommend communicating to the appropriate
users and making the change permanent.

I have changed the external ssh port on all machines I administer. The
result is the complete elimination of the previous hundreds to thousands
of daily script-kiddie brute-force attempts I used to see.

Obscurity should not be your *only* line of defense, but camouflage
helps as well. And even if it didn't, it still reduces server-load,
bandwidth and heaps of logfile cruft.

Cheers,
Steve

On Wed, 26 Nov 2008, Steve Crawford wrote:

> Obscurity should not be your *only* line of defense, but camouflage
> helps as well. And even if it didn't, it still reduces server-load,
> bandwidth and heaps of logfile cruft.

In order case, thankfully, there was minimal banwidth impact, but the
server load on some of the machines was to the point of unusability ...
again, thankfully, that didn't manifest it self on any of the postgresql
servers, but we didn't want to take any chances of it bleeding over ...

----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy(at)hub(dot)org MSN . scrappy(at)hub(dot)org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664

Steve Crawford wrote:
>
> I have changed the external ssh port on all machines I administer. The
> result is the complete elimination of the previous hundreds to thousands
> of daily script-kiddie brute-force attempts I used to see.
>
>
>

+1

We have not used port 22 in our production network for years; for all
the same reasons. Although its only obfuscation, it works.

--
Andrew Chernow
eSilo, LLC
every bit counts
http://www.esilo.com/

On Wed, Nov 26, 2008 at 10:51:23AM -0800, Steve Crawford wrote:
> Kris Jurka wrote:
>> On Wed, 26 Nov 2008, Dave Page wrote:
>>
>>> It's the same IP address - but try port 35 for ssh. Marc changed
>>> it (temporarily) due to a vast number of malicious connection
>>> attempts.
>>
>> Why wasn't this change communicated to anyone, not even
>> gforge-admins? How temporary is temporary?
>>
>> Kris Jurka
>>
> I can't speak to the administrative and communications aspects, but
> based on my experience, I can recommend communicating to the
> appropriate users and making the change permanent.

We should move to a port-knocking
<http://dotancohen.com/howto/portknocking.html> or other modern
strategy if we're going to move at all.

Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

David Fetter wrote:
>
>
> We should move to a port-knocking
> <http://dotancohen.com/howto/portknocking.html> or other modern
> strategy if we're going to move at all.
>
>
Yeah, but telling my firewall to move port 22 inside to port xxxx
outside took less time than writing this email. Inside the firewall
plain old ssh continues to work fine and I don't have to deal with
issues of forwarding additional ports through the firewall, mucking with
iptables rules, etc.

For my servers, moving outside access to a non-standard port has proven
100% effective for over a year so additional complexity hasn't been
warranted.

Cheers,
Steve

On Wed, 2008-11-26 at 13:57 -0800, Steve Crawford wrote:
> David Fetter wrote:
> >
> >
> > We should move to a port-knocking
> > <http://dotancohen.com/howto/portknocking.html> or other modern
> > strategy if we're going to move at all.
> >
> >
> Yeah, but telling my firewall to move port 22 inside to port xxxx
> outside took less time than writing this email. Inside the firewall
> plain old ssh continues to work fine and I don't have to deal with
> issues of forwarding additional ports through the firewall, mucking with
> iptables rules, etc.
>
> For my servers, moving outside access to a non-standard port has proven
> 100% effective for over a year so additional complexity hasn't been
> warranted.

Since were chatting :P. My vote would be to move everything back to port
22 and force key based auth only.

Joshua D. Drake

>
> Cheers,
> Steve
>
>
--
PostgreSQL
Consulting, Development, Support, Training
503-667-4564 - http://www.commandprompt.com/
The PostgreSQL Company, serving since 1997