Tomas Mraz wrote:
On Mon, 2008-03-17 at 19:53 -0700, Andrew Farris wrote:
Had you even considered asking denyhosts to be a part of the base install and
configured to start blocking hosts after 10 account failures, or when attempts
at service account logins are made? Problem solved.. ssh still open.
Perhaps we should add pam_abl to default sshd PAM configuration with
some reasonable defaults on how many auth failures are allowed?
The benefit of denyhosts goes beyond that. A user can script an attempt at many
different logins, trying one at a time, spreading them out over a period of
several minutes, so that multiple auth failures are not triggered. What
denyhosts provides is the larger picture of an external ip attempting multiple
accounts or failing a single account multiple times. Its been very effective in
reducing the ssh login attempts on my home machines which have ssh open to the
internet (even though they are pub/priv keypair restricted they still get
hammered with repeated login attempts and denyhosts picks that up and adds them
to hosts.deny).
I would argue that blocking root from ssh logins by default would be smart. I
would think a livecd install (almost always a desktop user) it should be blocked
by the firewall by default. But seriously this rant is a bit over the top.
Unfortunately user accounts are set up in firstboot so disabling root
login in ssh by default is not possible.
Well, thats true, but firstboot could disable ssh for root once a user account
is created (unless a checkbox was left enabled or something).. and you'd still
get perfectly acceptable behavior for headless installs.
--
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
