Re: brute force ssh attempt mitigation



On Wed, 31 Mar 2010 09:02:09 -0600
Christer Edwards <christer edwards gmail com> wrote:

> On Wed, Mar 31, 2010 at 8:50 AM, Olav Vitters <olav vitters nl> wrote:
> >
> > Yes.
> >
> > Error message is due to the NFS mounts on puppet being broken
> > (/home/admin, /home/users). You can still log in though (aside from
> > home dir not existing complaints)
> >
> > --
> > Regards,
> > Olav
> >
> 
> So I'm hearing that bruteforce mitigation via denyhosts won't add any
> additional security, and I agree (after understanding better how
> accounts are managed). Does this mean let's just not bother? I don't
> think it'll hurt, and if anything it'll simply clean up the logs and
> cut down on the noise a bit.
> 

DenyHosts can hurt if a valid user tries logging in a few times from a
machine to which they have neglected to copy their key. DH will
blacklist them, and sysadmins will have to manually delete the IP
address in question from the DH blacklist.

This will result in increased RT tickets, a need for sysadmins to
manually edit files, and all for very little gain in terms of real
security.

While DH is a useful tool (I use it for my machines and the company
machines), on systems with a very large userbase that may or may not
pay attention to where their ssh keys exist, I think DH introduces more
problems than it solves.

One man's opinion.

-- 
./k

kurt von finck

http://www.mneptok.com

public key: keyserver.ubuntu.com
key id: 5229D26A
fingerprint: 127A A484 ADBF A5AD E7FB 8CD2 8913 18F4 5229 D26A

Music is the space between the notes. - Debussy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]