Request for comments regarding default configuration of pam_abl module

[Kevin Fenzi]

On Sun, 23 Mar 2014 23:46:15 -0600
Eric Smith <spacewar at gmail.com> wrote:

> In bug #1079767, it is requested that the default configuration for
> pam_abl be changed such that multiple root login failures from a
> network host will (temporarily) blacklist that host.  The existing
> default configuration deliberately does not do that, due to potential
> for a Denial of Service. For example, in a classroom or lab, students
> might try to log into a server as root, and failures could prevent
> the instruction from being able to do so from the same machines in
> the lab.  Another scenario would be a miscreant breaking into one
> machine on a network, that happens to be used to ssh into another
> machine on the network, and getting that first machine blacklisted.
> 
> I understand the motivation to blacklist malicious hosts that try
> dictionary attacks against root, but I don't like having the default
> configuration susceptible to a DoS.  My feeling is that the default
> configuration provides some value, but that the system administrator
> should make the choice as to whether to tighten the rules and
> potentially have a DoS issue.
> 
> I'm interested in hearing in opinions of other developers, before
> making a decision about the proposed change.

I think it's pretty common practice to use a 'bastion host' to gateway
into other servers that aren't directly reachable on the internet. 

Not sure if that use case is enough to sway the default however. You
could say that people setting up a bastion host should be changing the
default config for their setup rather than everyone else changing
default for the bastion host case. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140324/8c46d8f1/attachment.sig>