On Wed, 2006-08-23 at 09:35 -0400, Matthew Miller wrote: > On Wed, Aug 23, 2006 at 01:27:48PM +0200, Arjan van de Ven wrote: > > > account, would best be dealth with with a default configuration that > > > blocks an IP for some time if enough unsuccessful attempts are made. > > installing denyhosts by default sounds reasonable ;) > > I don't think so. Denyhosts works by manipulating /etc/hosts.deny, which is > a security-sensitive config file which shouldn't be edited willy-nilly by > scripts. > > And, this won't even work in the configuration we use here (which while not > the fedora default is widespread good practice) -- put "ALL:ALL" in > /etc/hosts.deny and then explicitly enable the services and hosts you want > to let in in /etc/hosts.allow. > > It would be better to have a "denyhosts" iptables chain which the program > could add to and remove from. > > -- > Matthew Miller mattdm mattdm org <http://mattdm.org/> > Boston University Linux ------> <http://linux.bu.edu/> My personal favorite is fail2ban (http://fail2ban.sourceforge.net/) which does exactly that. It'll also work outta the box for other services (pop3, apache). Very configurable, works like a charm... -- Matthew Schick System Administrator, Engineering Services Red Hat, Inc.
Description: This is a digitally signed message part