[Mageia-dev] Fail2Ban vs Blockhosts vs DenyHosts vs iptable throttle for SSH
finid at linuxbsdos.com
finid at linuxbsdos.com
Tue Feb 19 13:44:10 CET 2013
On 2013-02-19 12:13, Colin Guthrie wrote:
> 'Twas brillig, and Robert Fox at 19/02/13 11:45 did gyre and gimble:
>> On Tue, 2013-02-19 at 12:35 +0100, Guillaume Rousse wrote:
>>> Le 19/02/2013 12:20, finid at linuxbsdos.com a écrit :
>>>> If that's how you feel about having a program like DenyHosts
>>>> running by
>>>> default, do you feel the same way about having a firewall running
>>>> and
>>>> configured out of the box.
>>>>
>>>> Is a firewall a sysadmin's or packager's choice?
>>> A sysadmin choice. Pushing always more stuff 'by default' doesn't
>>> help
>>> users to make educated choices.
>>
>> On one hand I agree, on the other hand - we want a distribution
>> which
>> simply works and common choices are made (like which firewall) from
>> the
>> distro side - a good enough Sysadmin can then change to his/her
>> liking
>> afterwards. This is more or less a distro "philosophy" question,
>> but
>> look why "Mint" has become so popular - because many choices are
>> made
>> upfront for the user - yet the flexibility is in the system (and
>> enough
>> packages) for an advanced user to change them!
>>
>> As long as the default settings are documented upfront - I see no
>> issue
>> in making such a decision on behalf of the "average" user - and
>> making a
>> more security robust distribution.
>
> Yup, I agree with this.
>
> I'm know my way around sufficiently that I can happily change the
> stuff
> I don't like.
>
> I think we do have to pick reasonably sensible defaults. Ultimately
> that's what msec does too - defines sensible defaults for the
> security
> level picked.
>
> So overall I'd welcome a default setup that allows things to be more
> secure/robust by default (obviously balanced against user experience
> -
> e.g. a *very* secure setup would be to ban all traffic in or out...
> but
> that's not a nice user experience :D).
>
If you are referring to a firewall, banning "all traffic in or out"
does not make sense. I'm sure we are all familiar with concept of
Stateful Inspection.
--
finid
More information about the Mageia-dev
mailing list