On Mon, Jul 27, 2015 at 12:43 PM, Lars Seipel <lars.seipel@xxxxxxxxx> wrote: > On Mon, Jul 27, 2015 at 11:19:41AM -0600, Chris Murphy wrote: >> Why is password quality being targeted rather than the number of ssh >> attempts being set to e.g. 3 per minute, by default? And does this >> sufficiently mitigate the concern, and if not, why not? > > Restricting login attempts means that now even the most naïve kind of > attack can lock me out of my machine. You know, the really stupid > attacks that rain down on almost any internet host in gigantic numbers > but are effectively countered by using anything but the most trivial of > passwords. Who puts their computer directly on the Internet or has all port 22 requests forwarded carte blanche? Very weak vs just weak passwords, and that system will be owned if no other defensive measures are taken. Firewalld needs to be easier to inform what networks are trusted, so that when I go to a cafe it automatically blocks (or drops) requests to ports 22, 445, 2049, etc. By default. Without asking me. Just do it because I have no good reason having those available when I'm in a cafe. And if I do, I'll trust the network. When enabling sshd in the GUI, it should use AllowUsers in sshd_config rather than allowing all users access. ClientAliveInterval probably should be non-zero. Yes there should be rate limiting and IP limiting for workstations in semi-trusted work environments, by default, but how to do that automatically isn't my area of expertise, maybe fail2ban plays a role here to initially be permissive but then learn what IPs to block after X failed login attempts or something? Server folks have their own requirements. With all the servers I use, not a single one is directly reachable on the Internet, I have to go through a VPN in every case. Someone who has no intention of turning on remote access, uses their laptop only at home behind NAT, there is no good reason to prevent them from using their year of birth as their password. I don't like it, but I have numerous exhibits of people who get beyond pissy when they aren't allowed to pick blatantly obvious passwords. And why? Because they're old, stubborn, and forget shit. They'd sooner stop using the computer, the iPad, the phone, or whatever else. -- Chris Murphy -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
