Hi, On Tue, Mar 18, 2014 at 11:32:49PM +0000, Philip Hands wrote: > Petter Reinholdtsen <[email protected]> writes: > > > Hi. > > > > On all my machines, I install denyhosts with a two hour timeout > > (DAEMON_PURGE = 2h), to block those trying to brute force a ssh login. > > Should we do something similar on the Freedombox? > > > > In addition to denyhosts (which only handle ssh), there are other > > relevant packages in Debian: > > > > libpam-shield - locks out remote attackers trying password guessing > > libpam-abl - blocks hosts which are attempting a brute force attack > > fail2ban > > The trouble with this approach is that an attacker can always widen > their net, trying passwords against _many_ hosts, so that they only come > back to any particular host after a decent interval. If they're smart > they'll be using a lot of source addresses (a bot-net, say) and they'll > be able to work out quite quickly what the parameters are for you to ban > them, and aim just under the RADAR. > > So, what you're doing is blocking only the less dangerous attackers > while giving yourself a nice warm glow. > > One would be a lot better off disabling passwords, <snip more alternatives>
Indeed. Perhaps we can allow password-based logins from the local network, while requiring keypair-based authentication for logins from the internet. Bye, Joost -- In their capacity as a tool, computers will be but a ripple on the surface of our culture. In their capacity as intellectual challenge, they are without precedent in the cultural history of mankind. --Edsger W Dijkstra (1930-2002), Turing Award lecture _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
