SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)
Nicolas Mailhot
nicolas.mailhot at laposte.net
Tue Mar 20 10:28:12 UTC 2007
Le Mar 20 mars 2007 10:59, Thomas M Steenholdt a écrit :
> Nicolas Mailhot wrote:
>> Le Mar 20 mars 2007 10:42, Thomas M Steenholdt a écrit :
>>> Nicolas Mailhot wrote:
>>>> Disabling ssh is not a good solution, many people need it. However the
>>>> default fedora ssh setup is woefully insecure
>>>>
>>>> At least ssh rate-limiting should be in the default firewall install.
>>>> Pam_abl would be even better (for other network services)
>>>>
>>> Blacklisting opens the potential for denial-of-service attacks. I'm not
>>> too familiar with the pam_abl implementation,
>>
>> You have per-source-host and per-target-user tuneables
>
> Potential problems with user=root and/or IP spoofing?
You have to balance the risk of DOSing with the protection level. But at
least you can special-case dangerous users, and protect against
distributed root attacks, which iptables won't notice.
--
Nicolas Mailhot
More information about the fedora-devel-list
mailing list