Re: A Topic that needs to be discussed on next the QA meeting..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andrew Farris wrote:
Tomas Mraz wrote:
On Mon, 2008-03-17 at 19:53 -0700, Andrew Farris wrote:
Had you even considered asking denyhosts to be a part of the base install and configured to start blocking hosts after 10 account failures, or when attempts at service account logins are made? Problem solved.. ssh still open.
Perhaps we should add pam_abl to default sshd PAM configuration with
some reasonable defaults on how many auth failures are allowed?

The benefit of denyhosts goes beyond that. A user can script an attempt at many different logins, trying one at a time, spreading them out over a period of several minutes, so that multiple auth failures are not triggered. What denyhosts provides is the larger picture of an external ip attempting multiple accounts or failing a single account multiple times. Its been very effective in reducing the ssh login attempts on my home machines which have ssh open to the internet (even though they are pub/priv keypair restricted they still get hammered with repeated login attempts and denyhosts picks that up and adds them to hosts.deny).

I don't mean to say adding a pam auth failure limit would be a bad idea; it would probably work very nicely with denyhosts. However denyhosts can react in much the same way, for instance 3 repeated failures for the same account, or 3 different account failures, and then block.

--
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux