[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSHd



On Wed, Aug 23, 2006 at 01:27:48PM +0200, Arjan van de Ven wrote:
> > account, would best be dealth with with a default configuration that
> > blocks an IP for some time if enough unsuccessful attempts are made. 
> installing denyhosts by default sounds reasonable ;)

I don't think so. Denyhosts works by manipulating /etc/hosts.deny, which is
a security-sensitive config file which shouldn't be edited willy-nilly by
scripts.

And, this won't even work in the configuration we use here (which while not
the fedora default is widespread good practice) -- put "ALL:ALL" in
/etc/hosts.deny and then explicitly enable the services and hosts you want
to let in in /etc/hosts.allow.

It would be better to have a "denyhosts" iptables chain which the program
could add to and remove from.

-- 
Matthew Miller           mattdm mattdm org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]