On Tue, 2015-02-03 at 15:51 -0500, Jonathan Billings wrote:> Also, it isn't up to the *installer* to set up a system that resists > brute-force password attacks.Give us the tools to do the job ! My amalgamated idea is:- (1) When external access gets a password wrong 'n' occasions, as determined by the SysAdmin, the external IP address is automatically permanently blocked unless that IP is included in a IP Tables 'allow' table. (2) If specifically allowed in IP Tables, that IP be blocked for 'm' minutes, as determined by the SysAdmin, before another attempt can be made. (3) All sensitive users be added to a special group. Limit the membership of that group to a collective maximum of 'n' SysAdmin chosen wrong password attempts within a time interval of 't' chosen by the SysAdmin. Baffled why it has never been done but then I'm Always Learning. -- Regards, Paul. England, EU. Je suis Charlie.
On 2015-02-03 22:22, Always Learning wrote:> > On Tue, 2015-02-03 at 15:51 -0500, Jonathan Billings wrote: > >> Also, it isn't up to the *installer* to set up a system that resists >> brute-force password attacks. > > Give us the tools to do the job ! > > My amalgamated idea is:- > > (1) When external access gets a password wrong 'n' occasions, as > determined by the SysAdmin, the external IP address is automatically > permanently blocked unless that IP is included in a IP Tables 'allow' > table. > > (2) If specifically allowed in IP Tables, that IP be blocked for 'm' > minutes, as determined by the SysAdmin, before another attempt can be > made. > > (3) All sensitive users be added to a special group. Limit the > membership of that group to a collective maximum of 'n' SysAdmin chosen > wrong password attempts within a time interval of 't' chosen by the > SysAdmin. > > Baffled why it has never been done but then I'm Always Learning. > > >I am maybe mislead, but I thought that is exactly what fail2ban[1] would do and this is already a few years out. Also it is ,if I remember correctly, in epel. Regards, Markus [1] http://www.fail2ban.org/wiki/index.php/Main_Page
On 2/3/2015 1:22 PM, Always Learning wrote:> Baffled why it has never been done but then I'm Always Learning.'fail2ban' with a bit of configuration for your exceptions. -- john r pierce 37N 122W somewhere on the middle of the left coast
On 2015-02-03, Markus <markus.scharitzer at gmail.com> wrote:> On 2015-02-03 22:22, Always Learning wrote: >> >> (1) When external access gets a password wrong 'n' occasions, as >> determined by the SysAdmin, the external IP address is automatically >> permanently blocked unless that IP is included in a IP Tables 'allow' >> table. >> >> (2) If specifically allowed in IP Tables, that IP be blocked for 'm' >> minutes, as determined by the SysAdmin, before another attempt can be >> made. >> >> (3) All sensitive users be added to a special group. Limit the >> membership of that group to a collective maximum of 'n' SysAdmin chosen >> wrong password attempts within a time interval of 't' chosen by the >> SysAdmin. > > I am maybe mislead, but I thought that is exactly what fail2ban[1] would > do and this is already a few years out. Also it is ,if I remember > correctly, in epel.sshguard can also do this (not sure if it's in EPEL or another common repo). http://www.sshguard.net More paranoid sysadmins simply disable all password logins and make users use ssh keys instead. --keith -- kkeller at wombat.san-francisco.ca.us