A Topic that needs to be discussed on next the QA meeting..
Andrew Farris
lordmorgul at gmail.com
Tue Mar 18 08:38:56 UTC 2008
Tomas Mraz wrote:
> On Mon, 2008-03-17 at 19:53 -0700, Andrew Farris wrote:
>> Had you even considered asking denyhosts to be a part of the base install and
>> configured to start blocking hosts after 10 account failures, or when attempts
>> at service account logins are made? Problem solved.. ssh still open.
> Perhaps we should add pam_abl to default sshd PAM configuration with
> some reasonable defaults on how many auth failures are allowed?
The benefit of denyhosts goes beyond that. A user can script an attempt at many
different logins, trying one at a time, spreading them out over a period of
several minutes, so that multiple auth failures are not triggered. What
denyhosts provides is the larger picture of an external ip attempting multiple
accounts or failing a single account multiple times. Its been very effective in
reducing the ssh login attempts on my home machines which have ssh open to the
internet (even though they are pub/priv keypair restricted they still get
hammered with repeated login attempts and denyhosts picks that up and adds them
to hosts.deny).
>> I would argue that blocking root from ssh logins by default would be smart. I
>> would think a livecd install (almost always a desktop user) it should be blocked
>> by the firewall by default. But seriously this rant is a bit over the top.
> Unfortunately user accounts are set up in firstboot so disabling root
> login in ssh by default is not possible.
Well, thats true, but firstboot could disable ssh for root once a user account
is created (unless a checkbox was left enabled or something).. and you'd still
get perfectly acceptable behavior for headless installs.
--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-test-list
mailing list