Andrew Farris wrote:
Tomas Mraz wrote:
On Mon, 2008-03-17 at 19:53 -0700, Andrew Farris wrote:
Had you even considered asking denyhosts to be a part of the base
install and configured to start blocking hosts after 10 account
failures, or when attempts at service account logins are made?
Problem solved.. ssh still open.
Perhaps we should add pam_abl to default sshd PAM configuration with
some reasonable defaults on how many auth failures are allowed?
The benefit of denyhosts goes beyond that. A user can script an attempt
at many different logins, trying one at a time, spreading them out over
a period of several minutes, so that multiple auth failures are not
triggered. What denyhosts provides is the larger picture of an external
ip attempting multiple accounts or failing a single account multiple
times. Its been very effective in reducing the ssh login attempts on my
home machines which have ssh open to the internet (even though they are
pub/priv keypair restricted they still get hammered with repeated login
attempts and denyhosts picks that up and adds them to hosts.deny).
I don't mean to say adding a pam auth failure limit would be a bad idea; it
would probably work very nicely with denyhosts. However denyhosts can react in
much the same way, for instance 3 repeated failures for the same account, or 3
different account failures, and then block.
--
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
