[Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
Colin Guthrie
mageia at colin.guthr.ie
Tue Feb 19 13:13:45 CET 2013
'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble:
> On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote:
>> Le 19/02/2013 12:20, finid at linuxbsdos.com a écrit :
>>> If that's how you feel about having a program like DenyHosts running by
>>> default, do you feel the same way about having a firewall running and
>>> configured out of the box.
>>>
>>> Is a firewall a sysadmin's or packager's choice?
>> A sysadmin choice. Pushing always more stuff 'by default' doesn't help
>> users to make educated choices.
>
> On one hand I agree, on the other hand - we want a distribution which
> simply works and common choices are made (like which firewall) from the
> distro side - a good enough Sysadmin can then change to his/her liking
> afterwards. This is more or less a distro "philosophy" question, but
> look why "Mint" has become so popular - because many choices are made
> upfront for the user - yet the flexibility is in the system (and enough
> packages) for an advanced user to change them!
>
> As long as the default settings are documented upfront - I see no issue
> in making such a decision on behalf of the "average" user - and making a
> more security robust distribution.
Yup, I agree with this.
I'm know my way around sufficiently that I can happily change the stuff
I don't like.
I think we do have to pick reasonably sensible defaults. Ultimately
that's what msec does too - defines sensible defaults for the security
level picked.
So overall I'd welcome a default setup that allows things to be more
secure/robust by default (obviously balanced against user experience -
e.g. a *very* secure setup would be to ban all traffic in or out... but
that's not a nice user experience :D).
Col
--
Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
More information about the Mageia-dev
mailing list