In bug #1079767, it is requested that the default configuration for pam_abl be changed such that multiple root login failures from a network host will (temporarily) blacklist that host. The existing default configuration deliberately does not do that, due to potential for a Denial of Service. For example, in a classroom or lab, students might try to log into a server as root, and failures could prevent the instruction from being able to do so from the same machines in the lab. Another scenario would be a miscreant breaking into one machine on a network, that happens to be used to ssh into another machine on the network, and getting that first machine blacklisted.
I understand the motivation to blacklist malicious hosts that try dictionary attacks against root, but I don't like having the default configuration susceptible to a DoS. My feeling is that the default configuration provides some value, but that the system administrator should make the choice as to whether to tighten the rules and potentially have a DoS issue.
I'm interested in hearing in opinions of other developers, before making a decision about the proposed change.I understand the motivation to blacklist malicious hosts that try dictionary attacks against root, but I don't like having the default configuration susceptible to a DoS. My feeling is that the default configuration provides some value, but that the system administrator should make the choice as to whether to tighten the rules and potentially have a DoS issue.
Thanks!
Eric
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
