Bug 245966

Summary: RFE: Allow SSH throttling to discourage brute force attacks
Product: [Fedora] Fedora Reporter: Danny D'Amours <danny.damours>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: poelstra, redhat-bugzilla
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-06 19:30:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Danny D'Amours 2007-06-27 17:51:09 UTC 
Description of problem:

With the SSH port opened via iptables, it is possible for others to run a brute
force ssh attack.

Version-Release number of selected component (if applicable):


How reproducible:

Always on any internet accessible machine

Steps to Reproduce:
1. Open SSH port via iptables or system-config-securitylevel
2.
3.
  
Actual results:

Logs reveal repeated and constant attempts to login to SSH using common
usernames and passwords

Expected results:

Allow users in system-config-securitylevel to enable throttling on the SSH port
to discourage repeated attempts.  See :
http://la-samhna.de/library/brutessh.html#3 for more details.

Ideally this functionality could be easily exposed as well as having the
parameters customizable.

Additional info:
Comment 1 Thomas Woerner 2007-07-25 11:50:43 UTC 
There will be a new firewall configuration tool for Fedora, soon. Mechanisms
like this are on the todo list.
Comment 2 Thomas Woerner 2007-09-21 09:14:58 UTC 
Assigning to system-config-firewall in devel.
Comment 3 Jon Stanley 2008-04-23 20:28:39 UTC 
Adding FutureFeature keyword to RFE's.
Comment 4 John Poelstra 2008-09-18 21:42:15 UTC 
The ability to block hosts which repeatedly fail to login is provided by the denyhosts package.  Should this RFE remain open?
Comment 5 Danny D'Amours 2008-09-19 14:02:00 UTC 
denyhosts certainly does the job but I think a GUI to enabled denyhosts and to change the config in system-config-firewall or its replacement is necessary to help expose this functionality.

Is there any chance that denyhosts (with fairly lax restrictions) would be considered to be enabled on default installs?  I can't think of a valid use case where an IP should continually bang on a server with bad passwords.
Comment 6 Thomas Woerner 2013-11-06 19:30:48 UTC 
Closing because there will not be big changes to system-config-firewall anymore.