Time to pick up this thread again, and set up some defence against the simple and stupid brute force attacks. Since the last discussion, I've submitted bug #742024 to ask libpam-abl to be enabled by default after installation, making it a more viable option for us, and bringing it on pair with libpam-shield in this regard.
These are the known options: - iptables / ufw rules. It can trigger on many connections, but is not really an option, as it is unable to detect failed logins. - libpam-shield - locks out remote attackers trying password guessing. Working option, just install and get the shield in place. But it block for one week by default, which is way too long. The package is orphaned, so if we are to use it someone need to adopt it. It can be used if we adjust the default configuration. - libpam-abl - blocks hosts which are attempting a brute force attack Working option, just install and get the shield in place. But it block for 24 hours by default, which is a bit too long. I've asked for it to be reduced to 1-2 hours in bug #751551, but do not know what the maintainer will say. It can be used directly but we should perhaps adjust the default configuration to reduce the block period. - fail2ban - ban hosts that cause multiple authentication errors - (*) denyhosts - Utility to help sys admins thwart SSH crackers Working options, but only handle ssh by default. - configure ssh to block password authentication and require ssh keys to log in, at least over the internet. - configure ssh to not use port 22, or require port knocking to log in. These options are not exclusive, and we can pick combinations that make sense. I believe it is best to handle this issue on the PAM level, and there we have two options. Because libpam-shield is orphaned and have so huge block period, I conclude that libpam-abl is our best option. We should also look at disabling password login from the Internet over ssh, and only allow it on the local network. I'll add it to the dependency list for freedombox-setup, to get it installed by default, unless someone object with a good argument why this is a bad idea. :) -- Happy hacking Petter Reinholdtsen _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss