Request for comments regarding default configuration of pam_abl module
Eric Smith
spacewar at gmail.com
Mon Mar 24 05:46:15 UTC 2014
In bug #1079767, it is requested that the default configuration for pam_abl
be changed such that multiple root login failures from a network host will
(temporarily) blacklist that host. The existing default configuration
deliberately does not do that, due to potential for a Denial of Service.
For example, in a classroom or lab, students might try to log into a server
as root, and failures could prevent the instruction from being able to do
so from the same machines in the lab. Another scenario would be a
miscreant breaking into one machine on a network, that happens to be used
to ssh into another machine on the network, and getting that first machine
blacklisted.
I understand the motivation to blacklist malicious hosts that try
dictionary attacks against root, but I don't like having the default
configuration susceptible to a DoS. My feeling is that the default
configuration provides some value, but that the system administrator should
make the choice as to whether to tighten the rules and potentially have a
DoS issue.
I'm interested in hearing in opinions of other developers, before making a
decision about the proposed change.
Thanks!
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140323/f994903b/attachment.html>
More information about the devel
mailing list