Protecting against ssh brute-force attacks
Neal Becker
ndbecker2 at gmail.com
Wed Nov 2 19:07:25 UTC 2005
Jason L Tibbitts III wrote:
>>>>>> "NB" == Neal Becker
>>>>>> <ndbecker2 at gmail.com> writes:
>
> NB> denyhosts has a big problem - it never removes entries - so
> NB> hosts.deny will grow without bounds.
>
> This is untrue. You can specify how long entries live in hosts.deny,
> and how often the daemon will attempt to prune them.
>
I'm sorry - you are correct.
Unfortunately (IMO) the expiration is set to 1year by default. That's
awfully high considering the rate my ssh is attacked. I'd suggest patching
the rpm to set it to perhaps, 1 week?
Still, I'm concerned that a large hosts.deny could lead to performance
issues, and I'm guessing (based on no evidence at all) that an
iptable-based approach might scale better.
More information about the fedora-extras-list
mailing list