A Topic that needs to be discussed on next the QA meeting..

Andrew Farris lordmorgul at gmail.com
Tue Mar 18 08:38:56 UTC 2008 

Tomas Mraz wrote:
> On Mon, 2008-03-17 at 19:53 -0700, Andrew Farris wrote:
>> Had you even considered asking denyhosts to be a part of the base install and 
>> configured to start blocking hosts after 10 account failures, or when attempts 
>> at service account logins are made?  Problem solved.. ssh still open.
> Perhaps we should add pam_abl to default sshd PAM configuration with
> some reasonable defaults on how many auth failures are allowed?

The benefit of denyhosts goes beyond that.  A user can script an attempt at many 
different logins, trying one at a time, spreading them out over a period of 
several minutes, so that multiple auth failures are not triggered.  What 
denyhosts provides is the larger picture of an external ip attempting multiple 
accounts or failing a single account multiple times.  Its been very effective in 
reducing the ssh login attempts on my home machines which have ssh open to the 
internet (even though they are pub/priv keypair restricted they still get 
hammered with repeated login attempts and denyhosts picks that up and adds them 
to hosts.deny).

>> I would argue that blocking root from ssh logins by default would be smart.  I 
>> would think a livecd install (almost always a desktop user) it should be blocked 
>> by the firewall by default.  But seriously this rant is a bit over the top.
> Unfortunately user accounts are set up in firstboot so disabling root
> login in ssh by default is not possible.

Well, thats true, but firstboot could disable ssh for root once a user account 
is created (unless a checkbox was left enabled or something).. and you'd still 
get perfectly acceptable behavior for headless installs.

-- 
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
  gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

More information about the fedora-test-list mailing list