Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On 19/02/13 12:51, fi...@linuxbsdos.com wrote: > > > On 2013-02-19 11:45, Robert Fox wrote: >> On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: >>> Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : >>> > If that's how you feel about having a program like DenyHosts >>> running by >>> > default, do you feel the same way about having a firewall running and >>> > configured out of the box. >>> > >>> > Is a firewall a sysadmin's or packager's choice? >>> A sysadmin choice. Pushing always more stuff 'by default' doesn't help >>> users to make educated choices. >> >> On one hand I agree, on the other hand - we want a distribution which >> simply works and common choices are made (like which firewall) from the >> distro side - a good enough Sysadmin can then change to his/her liking >> afterwards. This is more or less a distro "philosophy" question, but >> look why "Mint" has become so popular - because many choices are made >> upfront for the user - yet the flexibility is in the system (and enough >> packages) for an advanced user to change them! >> >> As long as the default settings are documented upfront - I see no issue >> in making such a decision on behalf of the "average" user - and making a >> more security robust distribution. >> >> BTW, there is no Mageia package for BlockHosts - but fail2ban and >> DenyHosts there are packages . . . >> > > This is the point that many distro devs don't seem to understand. People > want a system that just works. Have you observed that Macs are very > popular with geeks, that is, the guys who can mess with a system in and > out. Why? > > How did Ubuntu and Mint become so popular? That's right, they just work. > All the sane options have been pre-selected. > > I once had a discussion with a dev who did not want to have the updates > manager's icon in the systray because he did not want to clutter that > part of the panel. > > > -- > finid > With this in mind could somebody mind looking at bugs 8985, 8986, 8987 and possibly also 9107. https://bugs.mageia.org/show_bug.cgi?id=8985 https://bugs.mageia.org/show_bug.cgi?id=8986 https://bugs.mageia.org/show_bug.cgi?id=8987 https://bugs.mageia.org/show_bug.cgi?id=9107 T.I.A. Claire
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
'Twas brillig, and fi...@linuxbsdos.com at 19/02/13 12:44 did gyre and gimble: > On 2013-02-19 12:13, Colin Guthrie wrote: >> So overall I'd welcome a default setup that allows things to be more >> secure/robust by default (obviously balanced against user experience - >> e.g. a *very* secure setup would be to ban all traffic in or out... but >> that's not a nice user experience :D). >> > > If you are referring to a firewall, banning "all traffic in or out" does > not make sense. Yes... that's why I used it as an example of something that didn't make sense ;) -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
> Hello all! > > After reading this article: > http://it.slashdot.org/story/13/02/16/2129244/ssh-password-gropers-are-now-trying-high-ports?utm_source=rss1.0mainlinkanon&utm_medium=feed > > I have been using Blockhosts (http://www.aczoom.com/blockhosts) for many > years now without issue (I also use a certificate with passwords turned > off) but I leave the port as standard 22 > > I never tried the others, so not sure which is most effective . . . > > My question is two fold: > > 1) I was curious of what others use on Mageia - and your experiences > > 2) Should we not have something standard in the SSH config during > install as a dependency? Make it automatic so at least the standard > config of ssh is a bit more protected from bot scans?? security is as strong as the weakest link. users system is as secure as their password and by default you can't get in as root
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On 2013-02-19 11:45, Robert Fox wrote: On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : > If that's how you feel about having a program like DenyHosts running by > default, do you feel the same way about having a firewall running and > configured out of the box. > > Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro "philosophy" question, but look why "Mint" has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the "average" user - and making a more security robust distribution. BTW, there is no Mageia package for BlockHosts - but fail2ban and DenyHosts there are packages . . . This is the point that many distro devs don't seem to understand. People want a system that just works. Have you observed that Macs are very popular with geeks, that is, the guys who can mess with a system in and out. Why? How did Ubuntu and Mint become so popular? That's right, they just work. All the sane options have been pre-selected. I once had a discussion with a dev who did not want to have the updates manager's icon in the systray because he did not want to clutter that part of the panel. -- finid
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On 2013-02-19 12:13, Colin Guthrie wrote: 'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble: On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro "philosophy" question, but look why "Mint" has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the "average" user - and making a more security robust distribution. Yup, I agree with this. I'm know my way around sufficiently that I can happily change the stuff I don't like. I think we do have to pick reasonably sensible defaults. Ultimately that's what msec does too - defines sensible defaults for the security level picked. So overall I'd welcome a default setup that allows things to be more secure/robust by default (obviously balanced against user experience - e.g. a *very* secure setup would be to ban all traffic in or out... but that's not a nice user experience :D). If you are referring to a firewall, banning "all traffic in or out" does not make sense. I'm sure we are all familiar with concept of Stateful Inspection. -- finid
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble: > On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: >> Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : >>> If that's how you feel about having a program like DenyHosts running by >>> default, do you feel the same way about having a firewall running and >>> configured out of the box. >>> >>> Is a firewall a sysadmin's or packager's choice? >> A sysadmin choice. Pushing always more stuff 'by default' doesn't help >> users to make educated choices. > > On one hand I agree, on the other hand - we want a distribution which > simply works and common choices are made (like which firewall) from the > distro side - a good enough Sysadmin can then change to his/her liking > afterwards. This is more or less a distro "philosophy" question, but > look why "Mint" has become so popular - because many choices are made > upfront for the user - yet the flexibility is in the system (and enough > packages) for an advanced user to change them! > > As long as the default settings are documented upfront - I see no issue > in making such a decision on behalf of the "average" user - and making a > more security robust distribution. Yup, I agree with this. I'm know my way around sufficiently that I can happily change the stuff I don't like. I think we do have to pick reasonably sensible defaults. Ultimately that's what msec does too - defines sensible defaults for the security level picked. So overall I'd welcome a default setup that allows things to be more secure/robust by default (obviously balanced against user experience - e.g. a *very* secure setup would be to ban all traffic in or out... but that's not a nice user experience :D). Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: > Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : > > If that's how you feel about having a program like DenyHosts running by > > default, do you feel the same way about having a firewall running and > > configured out of the box. > > > > Is a firewall a sysadmin's or packager's choice? > A sysadmin choice. Pushing always more stuff 'by default' doesn't help > users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro "philosophy" question, but look why "Mint" has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the "average" user - and making a more security robust distribution. BTW, there is no Mageia package for BlockHosts - but fail2ban and DenyHosts there are packages . . . Cheers, Robert
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. -- BOFH excuse #245: The Borg tried to assimilate your system. Resistance is futile.
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? -- finid On 2013-02-19 11:03, Guillaume Rousse wrote: Le 19/02/2013 11:06, fi...@linuxbsdos.com a écrit : Sounds like a good idea to have something in place out of the box. PC-BSD, which has SSH server running by default also has DenyHosts configured and running by default. That's a asysadmin choice, not a packager one. Bloating every machines just because it may be useful in some cases doesn't seems a good idea. And the best defense against ssh scan bot is to forbid password-based authentications, BTW.
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Le 19/02/2013 11:06, fi...@linuxbsdos.com a écrit : Sounds like a good idea to have something in place out of the box. PC-BSD, which has SSH server running by default also has DenyHosts configured and running by default. That's a asysadmin choice, not a packager one. Bloating every machines just because it may be useful in some cases doesn't seems a good idea. And the best defense against ssh scan bot is to forbid password-based authentications, BTW. -- BOFH excuse #379: We've picked COBOL as the language of choice.
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Sounds like a good idea to have something in place out of the box. PC-BSD, which has SSH server running by default also has DenyHosts configured and running by default. -- finid On 2013-02-19 09:55, Robert Fox wrote: Hello all! After reading this article: http://it.slashdot.org/story/13/02/16/2129244/ssh-password-gropers-are-now-trying-high-ports?utm_source=rss1.0mainlinkanon&utm_medium=feed I have been using Blockhosts (http://www.aczoom.com/blockhosts) for many years now without issue (I also use a certificate with passwords turned off) but I leave the port as standard 22 I never tried the others, so not sure which is most effective . . . My question is two fold: 1) I was curious of what others use on Mageia - and your experiences 2) Should we not have something standard in the SSH config during install as a dependency? Make it automatic so at least the standard config of ssh is a bit more protected from bot scans?? I'm interested to see what everyone says on this list . . . Have a nice day- Cheers, R.Fox
[Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Hello all! After reading this article: http://it.slashdot.org/story/13/02/16/2129244/ssh-password-gropers-are-now-trying-high-ports?utm_source=rss1.0mainlinkanon&utm_medium=feed I have been using Blockhosts (http://www.aczoom.com/blockhosts) for many years now without issue (I also use a certificate with passwords turned off) but I leave the port as standard 22 I never tried the others, so not sure which is most effective . . . My question is two fold: 1) I was curious of what others use on Mageia - and your experiences 2) Should we not have something standard in the SSH config during install as a dependency? Make it automatic so at least the standard config of ssh is a bit more protected from bot scans?? I'm interested to see what everyone says on this list . . . Have a nice day- Cheers, R.Fox