sshguard Blocking access to consul servers
sshguard
is blocking ssh access to consul servers. It is getting requests from the bastions which it interprets as hostile and adds an iptables rule to block the bastions on the ssh port. This has the effect of locking everyone out. We should either set a timeout that allows traffic again, or use a different method of determining hostile traffic.
sudo iptables -nvL --line
Results in lines like the folowing - sometimes 2 or 3 bastion servers are listed
Chain sshguard (1 references)
num pkts bytes target prot opt in out source destination
1 14214 935K DROP all -- * * 10.216.4.4 0.0.0.0/0
The line can be removed with
sudo iptables -D sshguard 1
We should also determine exactly which traffic is triggering this behavior. If it is not being caused by someone with access who has their ssh setup misconfigured, then it is being caused by someone malicious who has gotten access to the bastions.