Le Mar 20 mars 2007 10:59, Thomas M Steenholdt a écrit : > Nicolas Mailhot wrote: >> Le Mar 20 mars 2007 10:42, Thomas M Steenholdt a écrit : >>> Nicolas Mailhot wrote: >>>> Disabling ssh is not a good solution, many people need it. However the >>>> default fedora ssh setup is woefully insecure >>>> >>>> At least ssh rate-limiting should be in the default firewall install. >>>> Pam_abl would be even better (for other network services) >>>> >>> Blacklisting opens the potential for denial-of-service attacks. I'm not >>> too familiar with the pam_abl implementation, >> >> You have per-source-host and per-target-user tuneables > > Potential problems with user=root and/or IP spoofing? You have to balance the risk of DOSing with the protection level. But at least you can special-case dangerous users, and protect against distributed root attacks, which iptables won't notice. -- Nicolas Mailhot -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
