My personal take is for desktop (normal end-user) that it stays as is or as a option in an advanced options setting and in the server-land to make the added DoS environment default as any of us in that realm should know not only about to determine our environment's needs but how to adjust
Corey W Sheldon Owner, 1st Class Mobile Shine 310.909.7672 www.facebook.com/1stclassmobileshine On Mon, Mar 24, 2014 at 12:57 PM, Kevin Fenzi <ke...@scrye.com> wrote: > On Sun, 23 Mar 2014 23:46:15 -0600 > Eric Smith <space...@gmail.com> wrote: > > > In bug #1079767, it is requested that the default configuration for > > pam_abl be changed such that multiple root login failures from a > > network host will (temporarily) blacklist that host. The existing > > default configuration deliberately does not do that, due to potential > > for a Denial of Service. For example, in a classroom or lab, students > > might try to log into a server as root, and failures could prevent > > the instruction from being able to do so from the same machines in > > the lab. Another scenario would be a miscreant breaking into one > > machine on a network, that happens to be used to ssh into another > > machine on the network, and getting that first machine blacklisted. > > > > I understand the motivation to blacklist malicious hosts that try > > dictionary attacks against root, but I don't like having the default > > configuration susceptible to a DoS. My feeling is that the default > > configuration provides some value, but that the system administrator > > should make the choice as to whether to tighten the rules and > > potentially have a DoS issue. > > > > I'm interested in hearing in opinions of other developers, before > > making a decision about the proposed change. > > I think it's pretty common practice to use a 'bastion host' to gateway > into other servers that aren't directly reachable on the internet. > > Not sure if that use case is enough to sway the default however. You > could say that people setting up a bastion host should be changing the > default config for their setup rather than everyone else changing > default for the bastion host case. > > kevin > > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct >
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
