On Thu, 19 May 2011 09:08:06 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
* [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:
...snip...
>If it's brute force attacks that are the vector of concern,
perhaps
>we could look at a default hashlimit rule in front of the ssh. (ie, 1
>attempt per minute or the like).
Or simply have a page asking the user whether or not to enable ssh? I
can't recall off the top of my head, but I believe there is a screen
where you ask if you want the firewall enabled, right? Why not have a
very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks
it off, set the firewall to allow ssh and turn ssh on. If the user
does _not_ check it off (aka they are sitting back and saying "what
is this ssh thing they speak of?") then have the firewall block port
22 and chkconfig ssh off.
It's not difficult. Those who need ssh will know what it is and will
turn it on. Those who don't (probably the majority) will leave it off
and be protected.
I think that would cover all areas of concern without
unnecessary/needless rate-limiting or changing sshd_config, etc. And
it's one more UI element during install (and presumably something that
could set in a kickstart file as well as a result).
Sure. Feel free to suggest it/provide patches to the anaconda folks.
There may well be cases this doesn't handle, but they would know more
than I what those might be.
kevin