On Mon, Oct 7, 2013 at 10:37 AM, Toshio Kuratomi <a.badger(a)gmail.com> wrote:
Objection.
+ Use denyhosts as this is what we're using on the rest of infra.
+ we should talk a bit about whether we want denyhosts on for all cloud
boxes or just specific ones. I lean towards enabling it for security but we
did envision the cloud hosts being more forgiving than the rest of infra's
hosts so we should just take a moment to make sure there's no use cases it's
impacting.
If you do ever consider moving away from denyhosts please take a look
at solutions that don't require log scraping which denyhosts has
already proved can be yet another security hole. Philosophically I
don't see much difference between these two choices (denyhosts and
fail2ban as both share in the less than optimal method of log scraping
to trigger action).
I would at least reconsider other options at that time. Things that
don't depend on logs like pam_abl seem to my mind be better designed
with security in mind.
John