12:46 a.m.
In bug #1079767, it is requested that the default configuration for pam_abl
be changed such that multiple root login failures from a network host will
(temporarily) blacklist that host. The existing default configuration
deliberately does not do that, due to potential for a Denial of Service.
For example, in a classroom or lab, students might try to log into a server
as root, and failures could prevent the instruction from being able to do
so from the same machines in the lab. Another scenario would be a
miscreant breaking into one machine on a network, that happens to be used
to ssh into another machine on the network, and getting that first machine
blacklisted.
I understand the motivation to blacklist malicious hosts that try
dictionary attacks against root, but I don't like having the default
configuration susceptible to a DoS. My feeling is that the default
configuration provides some value, but that the system administrator should
make the choice as to whether to tighten the rules and potentially have a
DoS issue.
I'm interested in hearing in opinions of other developers, before making a
decision about the proposed change.
Thanks!
Eric
11:57 a.m.
On Sun, 23 Mar 2014 23:46:15 -0600
Eric Smith <spacewar(a)gmail.com> wrote:
In bug #1079767, it is requested that the default configuration for
pam_abl be changed such that multiple root login failures from a
network host will (temporarily) blacklist that host. The existing
default configuration deliberately does not do that, due to potential
for a Denial of Service. For example, in a classroom or lab, students
might try to log into a server as root, and failures could prevent
the instruction from being able to do so from the same machines in
the lab. Another scenario would be a miscreant breaking into one
machine on a network, that happens to be used to ssh into another
machine on the network, and getting that first machine blacklisted.
I understand the motivation to blacklist malicious hosts that try
dictionary attacks against root, but I don't like having the default
configuration susceptible to a DoS. My feeling is that the default
configuration provides some value, but that the system administrator
should make the choice as to whether to tighten the rules and
potentially have a DoS issue.
I'm interested in hearing in opinions of other developers, before
making a decision about the proposed change.
I think it's pretty common practice to use a 'bastion host' to gateway
into other servers that aren't directly reachable on the internet.
Not sure if that use case is enough to sway the default however. You
could say that people setting up a bastion host should be changing the
default config for their setup rather than everyone else changing
default for the bastion host case.
kevin
12:53 p.m.
My personal take is for desktop (normal end-user) that it stays as is or as
a option in an advanced options setting and in the server-land to make the
added DoS environment default as any of us in that realm should know not
only about to determine our environment's needs but how to adjust
Corey W Sheldon
Owner, 1st Class Mobile Shine
310.909.7672
www.facebook.com/1stclassmobileshine
On Mon, Mar 24, 2014 at 12:57 PM, Kevin Fenzi <kevin(a)scrye.com> wrote:
On Sun, 23 Mar 2014 23:46:15 -0600
Eric Smith <spacewar(a)gmail.com> wrote:
> In bug #1079767, it is requested that the default configuration for
> pam_abl be changed such that multiple root login failures from a
> network host will (temporarily) blacklist that host. The existing
> default configuration deliberately does not do that, due to potential
> for a Denial of Service. For example, in a classroom or lab, students
> might try to log into a server as root, and failures could prevent
> the instruction from being able to do so from the same machines in
> the lab. Another scenario would be a miscreant breaking into one
> machine on a network, that happens to be used to ssh into another
> machine on the network, and getting that first machine blacklisted.
>
> I understand the motivation to blacklist malicious hosts that try
> dictionary attacks against root, but I don't like having the default
> configuration susceptible to a DoS. My feeling is that the default
> configuration provides some value, but that the system administrator
> should make the choice as to whether to tighten the rules and
> potentially have a DoS issue.
>
> I'm interested in hearing in opinions of other developers, before
> making a decision about the proposed change.
I think it's pretty common practice to use a 'bastion host' to gateway
into other servers that aren't directly reachable on the internet.
Not sure if that use case is enough to sway the default however. You
could say that people setting up a bastion host should be changing the
default config for their setup rather than everyone else changing
default for the bastion host case.
kevin
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
11:19 p.m.
Is there a policy that for different Fedora.next products, we can
apply different rules?
Or just add comments in the conf?
3723
days inactive
3724
days old
3 comments
4 participants
participants (4)
-
Christopher Meng -
Corey Sheldon -
Eric Smith -
Kevin Fenzi