If you have not installed it, install denyhosts...it watches for ssh password attacks and locks out hosts automatically. It does limit the number of attempts someone gets before being completely locked out. On Thu, Dec 19, 2013 at 11:22 AM, Mark Haney <mhaney@xxxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/19/2013 12:16 PM, Tim wrote: > >> You really need something that detects attempt to crack passwords, >> responds appropriately to thwart the attacks while they happen, >> and immediately notifies you that an attempt is happening as it >> happens (e.g. email to a separate system), so you know to check, >> and the notification isn't stored on somewhere that will be deleted >> during the attack. >> > > I'm kind of with you on the password rotation part. I do certainly > see the need for routinely changing non-local (ie internet) passwords, > but I'm not always convinced rotating internal ones make sense in > every case. > > I personally use fail2ban for any internet facing system that has, for > instance, ssh open. It works well and I get notification of password > intrusion attempts if the login fails X number of times. Personally, > I have mine set to disable login permanently instead of setting a time > limit, then I can re-enable when I have time. As far as SSH goes I > also have only one user account that is ssh accessible so I don't need > to worry about my kids accounts, etc. > > - -- > Mark Haney > Network Administrator/IT Support > Practichem > W:919-714-8428 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJSsytUAAoJEDgEuzPE0JQveb8H/RHTo+KqbqWH1Nm+2Dq9avV9 > qzorJplqPpus8f12mggl2Ep51k4bY7kp8nsY0GCVzHaFggzVkB8EphEhnTnBXlYY > IWJyQ1VyWiJJa7CpL4fH/Vb/dK2n57rBDh8GDgsRrafALr9dXzFGtVkJtC2MQ/NP > FndAK9Gd9dHrxKFrtyAFSszYuiHgdbCZB7VHLkCWaYJD8CwqdiWljV5i51pZedTX > XvTSq57fKRwgUpSJXj4LbEONJSaXCk11Y/mrIP1rZW6Ya2HcSS3ga6uVBSeAGZGt > 3aoc7UBDZ9xJk5EKk4yuZnlUhPbXT94Lmge7NuTX+vKtBv/c0n6lnn2zUQKn4Ck= > =sjeu > -----END PGP SIGNATURE----- > > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
