[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH on by default? (Was: too many deamons by default - F7 test 2 live cd)



Le Mar 20 mars 2007 10:59, Thomas M Steenholdt a écrit :
> Nicolas Mailhot wrote:
>> Le Mar 20 mars 2007 10:42, Thomas M Steenholdt a écrit :
>>> Nicolas Mailhot wrote:
>>>> Disabling ssh is not a good solution, many people need it. However the
>>>> default fedora ssh setup is woefully insecure
>>>>
>>>> At least ssh rate-limiting should be in the default firewall install.
>>>> Pam_abl would be even better (for other network services)
>>>>
>>> Blacklisting opens the potential for denial-of-service attacks. I'm not
>>> too familiar with the pam_abl implementation,
>>
>> You have per-source-host and per-target-user tuneables
>
> Potential problems with user=root and/or IP spoofing?

You have to balance the risk of DOSing with the protection level. But at
least you can special-case dangerous users, and protect against
distributed root attacks, which iptables won't notice.

-- 
Nicolas Mailhot


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]