SSHd
Matthew Schick
mschick at redhat.com
Wed Aug 23 13:40:32 UTC 2006
On Wed, 2006-08-23 at 09:35 -0400, Matthew Miller wrote:
> On Wed, Aug 23, 2006 at 01:27:48PM +0200, Arjan van de Ven wrote:
> > > account, would best be dealth with with a default configuration that
> > > blocks an IP for some time if enough unsuccessful attempts are made.
> > installing denyhosts by default sounds reasonable ;)
>
> I don't think so. Denyhosts works by manipulating /etc/hosts.deny, which is
> a security-sensitive config file which shouldn't be edited willy-nilly by
> scripts.
>
> And, this won't even work in the configuration we use here (which while not
> the fedora default is widespread good practice) -- put "ALL:ALL" in
> /etc/hosts.deny and then explicitly enable the services and hosts you want
> to let in in /etc/hosts.allow.
>
> It would be better to have a "denyhosts" iptables chain which the program
> could add to and remove from.
>
> --
> Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
> Boston University Linux ------> <http://linux.bu.edu/>
My personal favorite is fail2ban (http://fail2ban.sourceforge.net/)
which does exactly that. It'll also work outta the box for other
services (pop3, apache). Very configurable, works like a charm...
--
Matthew Schick
System Administrator, Engineering Services
Red Hat, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060823/11a0e68b/attachment.sig>
More information about the fedora-devel-list
mailing list