Jim Perrin wrote:
On Jan 28, 2008 10:14 PM, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
Craig White wrote:
We will work also with the Red Hat Security team and see if we can
isolate any issues that might be FIXABLE.
----
doesn't this almost beg for upstream to make denyhosts a base install
and automatically on, just as sshd is automatically on?
I've always wondered why a program like sshd didn't rate-limit
connection attempts from day one. It's not exactly a new concept,
especially for a security-oriented program.
It's a question of scale. For some systems, 30 people logging in is
too many. For others, it's 3000. There is no 'right' default value. It
should be (and is) left up to the admin and iptables.
You have to have some default and it might as well be on the secure side
since as you suggest you won't be right for everyone. But, you don't
have to rate-limit connections in general, you just need a delay after a
failed attempt before permitting another attempt from the same place. I
thought getty/login always had such a delay to discourage password
guessing so it seemed odd for ssh to ignore this risk.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
