Request for comments regarding default configuration of pam_abl module

[Eric Smith]

In bug #1079767, it is requested that the default configuration for pam_abl
be changed such that multiple root login failures from a network host will
(temporarily) blacklist that host.  The existing default configuration
deliberately does not do that, due to potential for a Denial of Service.
For example, in a classroom or lab, students might try to log into a server
as root, and failures could prevent the instruction from being able to do
so from the same machines in the lab.  Another scenario would be a
miscreant breaking into one machine on a network, that happens to be used
to ssh into another machine on the network, and getting that first machine
blacklisted.

I understand the motivation to blacklist malicious hosts that try
dictionary attacks against root, but I don't like having the default
configuration susceptible to a DoS.  My feeling is that the default
configuration provides some value, but that the system administrator should
make the choice as to whether to tighten the rules and potentially have a
DoS issue.

I'm interested in hearing in opinions of other developers, before making a
decision about the proposed change.

Thanks!
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140323/f994903b/attachment.html>