Re: Request for comments regarding default configuration of pam_abl module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My personal take is for desktop (normal end-user) that it stays as is or as a option in an advanced options setting and in the server-land to make the added DoS environment default as any of us in that realm should know not only about to determine our environment's needs but how to adjust

Corey W Sheldon
Owner, 1st Class Mobile Shine
310.909.7672
www.facebook.com/1stclassmobileshine


On Mon, Mar 24, 2014 at 12:57 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
On Sun, 23 Mar 2014 23:46:15 -0600
Eric Smith <spacewar@xxxxxxxxx> wrote:

> In bug #1079767, it is requested that the default configuration for
> pam_abl be changed such that multiple root login failures from a
> network host will (temporarily) blacklist that host.  The existing
> default configuration deliberately does not do that, due to potential
> for a Denial of Service. For example, in a classroom or lab, students
> might try to log into a server as root, and failures could prevent
> the instruction from being able to do so from the same machines in
> the lab.  Another scenario would be a miscreant breaking into one
> machine on a network, that happens to be used to ssh into another
> machine on the network, and getting that first machine blacklisted.
>
> I understand the motivation to blacklist malicious hosts that try
> dictionary attacks against root, but I don't like having the default
> configuration susceptible to a DoS.  My feeling is that the default
> configuration provides some value, but that the system administrator
> should make the choice as to whether to tighten the rules and
> potentially have a DoS issue.
>
> I'm interested in hearing in opinions of other developers, before
> making a decision about the proposed change.

I think it's pretty common practice to use a 'bastion host' to gateway
into other servers that aren't directly reachable on the internet.

Not sure if that use case is enough to sway the default however. You
could say that people setting up a bastion host should be changing the
default config for their setup rather than everyone else changing
default for the bastion host case.

kevin

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux