Activate fail2ban sshd ddos jail for non production machines

[leona-ya]

PL-132477

@flyingcircusio/release-managers

Release process

• Created changelog entry using ./changelog.sh

PR release workflow (internal)

• PR has internal ticket
• internal issue ID (PL-…) part of branch name
• internal issue ID mentioned in PR description text
• ticket is on Platform agile board
• ticket state set to Pull request ready
• if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

• Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
  • indirectly done by first enabling on staging
  • can be disabled with the one-liner services.fail2ban.jails.sshd.settings.mode = "normal";
• All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

• Security requirements defined? (WHERE)
  1. Shouldn't infer with any workflows/usages of SSH
  2. Should mitigate SSH DHeat attacks
  3. maxretry change shouldn't have high security impact
• Security requirements tested? (EVIDENCE)
  1. Tested with batou, monitoring on test47, roll out to staging only for one release cycle potentially catch issues in staging before they happen in production, increased maxretry limit to allow for more failures before blocking
  2. Tested using ssh-audit on test47
  3. Small change, and the most important brute force vector is with password auth which we don't allow.