On Mon, Oct 7, 2013 at 10:37 AM, Toshio Kuratomi <a.bad...@gmail.com> wrote: > Objection. > > + Use denyhosts as this is what we're using on the rest of infra. > > + we should talk a bit about whether we want denyhosts on for all cloud > boxes or just specific ones. I lean towards enabling it for security but we > did envision the cloud hosts being more forgiving than the rest of infra's > hosts so we should just take a moment to make sure there's no use cases it's > impacting.
If you do ever consider moving away from denyhosts please take a look at solutions that don't require log scraping which denyhosts has already proved can be yet another security hole. Philosophically I don't see much difference between these two choices (denyhosts and fail2ban as both share in the less than optimal method of log scraping to trigger action). I would at least reconsider other options at that time. Things that don't depend on logs like pam_abl seem to my mind be better designed with security in mind. John _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
