On 05/19/2011 01:18 PM, Kevin Fenzi wrote: > The reason for this has been headless installs. Ie, if you install via > vnc or the like, and finish the install and reboot and don't have > access to the physical console, ssh is your only way to access the > newly installed machine and setup accounts, etc. > > If someone can come up with a solution that covers this case, we could > revisit this, but it's not an case thats easy to fix in any kind of > clean way. ;( > > If it's brute force attacks that are the vector of concern, perhaps we > could look at a default hashlimit rule in front of the ssh. (ie, 1 > attempt per minute or the like). I would think admins that are doing headless install would be doing them via PXE+Cobbler with .ks files not via the DVD If they do they should create their own iso for that case or server sig spin one for them since we hand out dvd to novice end users. Anyway there came an interesting discussion out of this thread at work on who was legally liable for any harm/financial damage that might be caused from bad default options like this which I have now forwarded to legal to clarify. JBG -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
