A Topic that needs to be discussed on next the QA meeting..
Andrew Farris
lordmorgul at gmail.com
Tue Mar 18 08:41:47 UTC 2008
Andrew Farris wrote:
> Tomas Mraz wrote:
>> On Mon, 2008-03-17 at 19:53 -0700, Andrew Farris wrote:
>>> Had you even considered asking denyhosts to be a part of the base
>>> install and configured to start blocking hosts after 10 account
>>> failures, or when attempts at service account logins are made?
>>> Problem solved.. ssh still open.
>> Perhaps we should add pam_abl to default sshd PAM configuration with
>> some reasonable defaults on how many auth failures are allowed?
>
> The benefit of denyhosts goes beyond that. A user can script an attempt
> at many different logins, trying one at a time, spreading them out over
> a period of several minutes, so that multiple auth failures are not
> triggered. What denyhosts provides is the larger picture of an external
> ip attempting multiple accounts or failing a single account multiple
> times. Its been very effective in reducing the ssh login attempts on my
> home machines which have ssh open to the internet (even though they are
> pub/priv keypair restricted they still get hammered with repeated login
> attempts and denyhosts picks that up and adds them to hosts.deny).
I don't mean to say adding a pam auth failure limit would be a bad idea; it
would probably work very nicely with denyhosts. However denyhosts can react in
much the same way, for instance 3 repeated failures for the same account, or 3
different account failures, and then block.
--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-test-list
mailing list