On Thu, 19 May 2011 09:08:06 -0600 Vincent Danen <vdanen@xxxxxxxxxx> wrote: > * [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote: ...snip... > >If it's brute force attacks that are the vector of concern, perhaps > >we could look at a default hashlimit rule in front of the ssh. (ie, 1 > >attempt per minute or the like). > > Or simply have a page asking the user whether or not to enable ssh? I > can't recall off the top of my head, but I believe there is a screen > where you ask if you want the firewall enabled, right? Why not have a > very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks > it off, set the firewall to allow ssh and turn ssh on. If the user > does _not_ check it off (aka they are sitting back and saying "what > is this ssh thing they speak of?") then have the firewall block port > 22 and chkconfig ssh off. > > It's not difficult. Those who need ssh will know what it is and will > turn it on. Those who don't (probably the majority) will leave it off > and be protected. > > I think that would cover all areas of concern without > unnecessary/needless rate-limiting or changing sshd_config, etc. And > it's one more UI element during install (and presumably something that > could set in a kickstart file as well as a result). Sure. Feel free to suggest it/provide patches to the anaconda folks. There may well be cases this doesn't handle, but they would know more than I what those might be. kevin
Attachment:
signature.asc
Description: PGP signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
