On Sun, 23 Mar 2014 23:46:15 -0600 Eric Smith <spacewar@xxxxxxxxx> wrote: > In bug #1079767, it is requested that the default configuration for > pam_abl be changed such that multiple root login failures from a > network host will (temporarily) blacklist that host. The existing > default configuration deliberately does not do that, due to potential > for a Denial of Service. For example, in a classroom or lab, students > might try to log into a server as root, and failures could prevent > the instruction from being able to do so from the same machines in > the lab. Another scenario would be a miscreant breaking into one > machine on a network, that happens to be used to ssh into another > machine on the network, and getting that first machine blacklisted. > > I understand the motivation to blacklist malicious hosts that try > dictionary attacks against root, but I don't like having the default > configuration susceptible to a DoS. My feeling is that the default > configuration provides some value, but that the system administrator > should make the choice as to whether to tighten the rules and > potentially have a DoS issue. > > I'm interested in hearing in opinions of other developers, before > making a decision about the proposed change. I think it's pretty common practice to use a 'bastion host' to gateway into other servers that aren't directly reachable on the internet. Not sure if that use case is enough to sway the default however. You could say that people setting up a bastion host should be changing the default config for their setup rather than everyone else changing default for the bastion host case. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
