aix / drive overflowing

[refack]

On both test-osuosl-aix61-ppc64_be-1/2 there a file /etc/security/failedlogin that's 300-400MB and it's on the / fs which is only 700MB.
For now I moved it to /home/ in case anyone wants to inspect it.
Looking for ideas on how to limit its size, or roll it over to a bigger partition.

[refack]

/cc @nodejs/platform-aix

[mhdawson]

I can increase the size of / but it may be better to figure out how to move it ? Was it causing failures or did you notice this pro-actively ?

[refack]

Not sure about failures, but after a few commands you couldn't even cd:

# cd /home/iojs/build/workspace/node-test-commit-aix
ksh: There is not enough space in the file system.

[refack]

So a quick look at the IPs in failedlogin looks like it was attempted to be brute forced. Multiple times. The sampled IPs are known abuse sources:
https://www.abuseipdb.com/check/61.177.172.52
https://www.abuseipdb.com/check/218.65.30.53
https://www.abuseipdb.com/check/116.31.116.7

Maybe we need implement some brute force mitigation techniques...

[refack]

It's already 18MB after < 24h:

bash-4.3# ls -la /etc/security/failedlogin
-rw-r-----    1 root     system     18273600 Sep 06 14:01 /etc/security/failedlogin```

[refack]

I added the following two line to /etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no

So now publickey is the only available authentication method.

AFAICT this way brute force password guessing is impossible, and also does not generate entries in failedlogin
@rvagg @mhdawson @joaocgreis PTAL

[sam-github]

only allowing public key auth seems like good security practice to me

[sam-github]

@gibfahn can you forsee any negative repercussions to automation?

[refack]

I'm asking as currently the AIX setup is semi-manual, and I didn't know if a password is used in the earlier stages.

[gibfahn]

@gibfahn can you forsee any negative repercussions to automation?

I can't, but I don't have that much experience with the bootstrapping part of the setup. Previously @mhdawson put my key on them and then I did the rest.

So that'd be a question for @mhdawson .

[joaocgreis]

This sounds good to me, I can't foresee any issue with doing this. Any machine has to be prepared to run Ansible by adding some key (there might be ways to run Ansible with passwords, but that'd be more work for nothing).

We already have a step to disable sftp, this could be added next to it.

[mhdawson]

Seems reasonable to me as well, although I'm not an expert at ssh configuration. I don't think there is any step that needs to login with a password as opposed to ssh key, other than possibly when we first receive the machines and have to add the initial ssh key ( I can't remember as its been a long time since I did that)

[refack]

Great. So I'll try to "ansible"ize that.

[AshCripps]

Can this issue be closed? theres been no update on it for two years so I assume the problem is fixed?

[sam-github]

Not fixed:

% parallel-ssh -i -h ../hosts/aix61-ppc64_be grep PasswordAuthentication /etc/ssh/sshd_config                                             
[1] 09:24:54 [SUCCESS] test-osuosl-aix61-ppc64_be-2
PasswordAuthentication no
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
[2] 09:24:54 [SUCCESS] test-osuosl-aix61-ppc64_be-3
#PasswordAuthentication yes
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
[3] 09:24:54 [SUCCESS] test-osuosl-aix61-ppc64_be-1
PasswordAuthentication no
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
[4] 09:24:54 [SUCCESS] release-osuosl-aix61-ppc64_be-1
#PasswordAuthentication yes
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication

Needs to be added to the manual setup instructions in ansible/aix61-standalone/manualBootstrap.md, and it needs to be done the hosts missing the setup.

Can you document, @AshCripps and I'll make the changes?