[Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Hello all! After reading this article: http://it.slashdot.org/story/13/02/16/2129244/ssh-password-gropers-are-now-trying-high-ports?utm_source=rss1.0mainlinkanonutm_medium=feed I have been using Blockhosts (http://www.aczoom.com/blockhosts) for many years now without issue (I also use a certificate with passwords turned off) but I leave the port as standard 22 I never tried the others, so not sure which is most effective . . . My question is two fold: 1) I was curious of what others use on Mageia - and your experiences 2) Should we not have something standard in the SSH config during install as a dependency? Make it automatic so at least the standard config of ssh is a bit more protected from bot scans?? I'm interested to see what everyone says on this list . . . Have a nice day- Cheers, R.Fox
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Sounds like a good idea to have something in place out of the box. PC-BSD, which has SSH server running by default also has DenyHosts configured and running by default. -- finid On 2013-02-19 09:55, Robert Fox wrote: Hello all! After reading this article: http://it.slashdot.org/story/13/02/16/2129244/ssh-password-gropers-are-now-trying-high-ports?utm_source=rss1.0mainlinkanonutm_medium=feed I have been using Blockhosts (http://www.aczoom.com/blockhosts) for many years now without issue (I also use a certificate with passwords turned off) but I leave the port as standard 22 I never tried the others, so not sure which is most effective . . . My question is two fold: 1) I was curious of what others use on Mageia - and your experiences 2) Should we not have something standard in the SSH config during install as a dependency? Make it automatic so at least the standard config of ssh is a bit more protected from bot scans?? I'm interested to see what everyone says on this list . . . Have a nice day- Cheers, R.Fox
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Le 19/02/2013 11:06, fi...@linuxbsdos.com a écrit : Sounds like a good idea to have something in place out of the box. PC-BSD, which has SSH server running by default also has DenyHosts configured and running by default. That's a asysadmin choice, not a packager one. Bloating every machines just because it may be useful in some cases doesn't seems a good idea. And the best defense against ssh scan bot is to forbid password-based authentications, BTW. -- BOFH excuse #379: We've picked COBOL as the language of choice.
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? -- finid On 2013-02-19 11:03, Guillaume Rousse wrote: Le 19/02/2013 11:06, fi...@linuxbsdos.com a écrit : Sounds like a good idea to have something in place out of the box. PC-BSD, which has SSH server running by default also has DenyHosts configured and running by default. That's a asysadmin choice, not a packager one. Bloating every machines just because it may be useful in some cases doesn't seems a good idea. And the best defense against ssh scan bot is to forbid password-based authentications, BTW.
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. -- BOFH excuse #245: The Borg tried to assimilate your system. Resistance is futile.
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro philosophy question, but look why Mint has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the average user - and making a more security robust distribution. BTW, there is no Mageia package for BlockHosts - but fail2ban and DenyHosts there are packages . . . Cheers, Robert
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble: On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro philosophy question, but look why Mint has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the average user - and making a more security robust distribution. Yup, I agree with this. I'm know my way around sufficiently that I can happily change the stuff I don't like. I think we do have to pick reasonably sensible defaults. Ultimately that's what msec does too - defines sensible defaults for the security level picked. So overall I'd welcome a default setup that allows things to be more secure/robust by default (obviously balanced against user experience - e.g. a *very* secure setup would be to ban all traffic in or out... but that's not a nice user experience :D). Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On 2013-02-19 12:13, Colin Guthrie wrote: 'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble: On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro philosophy question, but look why Mint has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the average user - and making a more security robust distribution. Yup, I agree with this. I'm know my way around sufficiently that I can happily change the stuff I don't like. I think we do have to pick reasonably sensible defaults. Ultimately that's what msec does too - defines sensible defaults for the security level picked. So overall I'd welcome a default setup that allows things to be more secure/robust by default (obviously balanced against user experience - e.g. a *very* secure setup would be to ban all traffic in or out... but that's not a nice user experience :D). If you are referring to a firewall, banning all traffic in or out does not make sense. I'm sure we are all familiar with concept of Stateful Inspection. -- finid
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On 2013-02-19 11:45, Robert Fox wrote: On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro philosophy question, but look why Mint has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the average user - and making a more security robust distribution. BTW, there is no Mageia package for BlockHosts - but fail2ban and DenyHosts there are packages . . . This is the point that many distro devs don't seem to understand. People want a system that just works. Have you observed that Macs are very popular with geeks, that is, the guys who can mess with a system in and out. Why? How did Ubuntu and Mint become so popular? That's right, they just work. All the sane options have been pre-selected. I once had a discussion with a dev who did not want to have the updates manager's icon in the systray because he did not want to clutter that part of the panel. -- finid
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
'Twas brillig, and fi...@linuxbsdos.com at 19/02/13 12:44 did gyre and gimble: On 2013-02-19 12:13, Colin Guthrie wrote: So overall I'd welcome a default setup that allows things to be more secure/robust by default (obviously balanced against user experience - e.g. a *very* secure setup would be to ban all traffic in or out... but that's not a nice user experience :D). If you are referring to a firewall, banning all traffic in or out does not make sense. Yes... that's why I used it as an example of something that didn't make sense ;) -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
On 19/02/13 12:51, fi...@linuxbsdos.com wrote: On 2013-02-19 11:45, Robert Fox wrote: On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote: Le 19/02/2013 12:20, fi...@linuxbsdos.com a écrit : If that's how you feel about having a program like DenyHosts running by default, do you feel the same way about having a firewall running and configured out of the box. Is a firewall a sysadmin's or packager's choice? A sysadmin choice. Pushing always more stuff 'by default' doesn't help users to make educated choices. On one hand I agree, on the other hand - we want a distribution which simply works and common choices are made (like which firewall) from the distro side - a good enough Sysadmin can then change to his/her liking afterwards. This is more or less a distro philosophy question, but look why Mint has become so popular - because many choices are made upfront for the user - yet the flexibility is in the system (and enough packages) for an advanced user to change them! As long as the default settings are documented upfront - I see no issue in making such a decision on behalf of the average user - and making a more security robust distribution. BTW, there is no Mageia package for BlockHosts - but fail2ban and DenyHosts there are packages . . . This is the point that many distro devs don't seem to understand. People want a system that just works. Have you observed that Macs are very popular with geeks, that is, the guys who can mess with a system in and out. Why? How did Ubuntu and Mint become so popular? That's right, they just work. All the sane options have been pre-selected. I once had a discussion with a dev who did not want to have the updates manager's icon in the systray because he did not want to clutter that part of the panel. -- finid With this in mind could somebody mind looking at bugs 8985, 8986, 8987 and possibly also 9107. https://bugs.mageia.org/show_bug.cgi?id=8985 https://bugs.mageia.org/show_bug.cgi?id=8986 https://bugs.mageia.org/show_bug.cgi?id=8987 https://bugs.mageia.org/show_bug.cgi?id=9107 T.I.A. Claire