SSHd
Matthew Miller
mattdm at mattdm.org
Wed Aug 23 13:35:12 UTC 2006
On Wed, Aug 23, 2006 at 01:27:48PM +0200, Arjan van de Ven wrote:
> > account, would best be dealth with with a default configuration that
> > blocks an IP for some time if enough unsuccessful attempts are made.
> installing denyhosts by default sounds reasonable ;)
I don't think so. Denyhosts works by manipulating /etc/hosts.deny, which is
a security-sensitive config file which shouldn't be edited willy-nilly by
scripts.
And, this won't even work in the configuration we use here (which while not
the fedora default is widespread good practice) -- put "ALL:ALL" in
/etc/hosts.deny and then explicitly enable the services and hosts you want
to let in in /etc/hosts.allow.
It would be better to have a "denyhosts" iptables chain which the program
could add to and remove from.
--
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-devel-list
mailing list