On Mon, Oct 10, 2005 at 04:44:13PM +0200, Nicolai Ehemann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello! > > I just (err, over the last 4 or 5 days) created a (hopefully > standards-compliant) package for the pam_abl PAM module. > > The pam_abl module provides a fully configurable way to automatically > blacklist users and/or hosts with many login failures within specified > intervals of time to be temporarily blacklisted, so that any subsequent > authentication attempt fails (without disclosing the attacker beeing > blacklisted). As the number of password guessing attacks on ssh servers > on the net has strongly grown in the past time, i think this is a useful > addition to security on hosts exposed to the net. I don't think it is that useful, for the reasons outlined at http://lists.debian.org/debian-security/2004/10/msg00133.html, you can end up DoSing your legitimate users. Blacklisting hosts might make sense (on the Internet, not internally), blacklisting users doesn't. And, in either case, it makes much more sense to just prevent exposure by preventing access to your SSH server by blocking per IP address (either with a packet filter or tcp-wrappers), through use of knockd, or by doing these _and_ moving the server to a non-standar port so it does not get probed at all. My 2c. Javier
Attachment:
signature.asc
Description: Digital signature