On Sun, 23 Mar 2014 23:46:15 -0600
Eric Smith <spacewar(a)gmail.com> wrote:
In bug #1079767, it is requested that the default configuration for
pam_abl be changed such that multiple root login failures from a
network host will (temporarily) blacklist that host. The existing
default configuration deliberately does not do that, due to potential
for a Denial of Service. For example, in a classroom or lab, students
might try to log into a server as root, and failures could prevent
the instruction from being able to do so from the same machines in
the lab. Another scenario would be a miscreant breaking into one
machine on a network, that happens to be used to ssh into another
machine on the network, and getting that first machine blacklisted.
I understand the motivation to blacklist malicious hosts that try
dictionary attacks against root, but I don't like having the default
configuration susceptible to a DoS. My feeling is that the default
configuration provides some value, but that the system administrator
should make the choice as to whether to tighten the rules and
potentially have a DoS issue.
I'm interested in hearing in opinions of other developers, before
making a decision about the proposed change.
I think it's pretty common practice to use a 'bastion host' to gateway
into other servers that aren't directly reachable on the internet.
Not sure if that use case is enough to sway the default however. You
could say that people setting up a bastion host should be changing the
default config for their setup rather than everyone else changing
default for the bastion host case.
kevin