SSHd

[Matthew Schick]

On Wed, 2006-08-23 at 09:35 -0400, Matthew Miller wrote:
> On Wed, Aug 23, 2006 at 01:27:48PM +0200, Arjan van de Ven wrote:
> > > account, would best be dealth with with a default configuration that
> > > blocks an IP for some time if enough unsuccessful attempts are made. 
> > installing denyhosts by default sounds reasonable ;)
> 
> I don't think so. Denyhosts works by manipulating /etc/hosts.deny, which is
> a security-sensitive config file which shouldn't be edited willy-nilly by
> scripts.
> 
> And, this won't even work in the configuration we use here (which while not
> the fedora default is widespread good practice) -- put "ALL:ALL" in
> /etc/hosts.deny and then explicitly enable the services and hosts you want
> to let in in /etc/hosts.allow.
> 
> It would be better to have a "denyhosts" iptables chain which the program
> could add to and remove from.
> 
> -- 
> Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
> Boston University Linux      ------>              <http://linux.bu.edu/>

My personal favorite is fail2ban (http://fail2ban.sourceforge.net/)
which does exactly that.  It'll also work outta the box for other
services (pop3, apache).  Very configurable, works like a charm...

-- 
Matthew Schick
System Administrator, Engineering Services
Red Hat, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060823/11a0e68b/attachment.sig>