Red Hat Bugzilla – Bug 245966
RFE: Allow SSH throttling to discourage brute force attacks
Last modified: 2013-11-06 14:30:48 EST
Description of problem:
With the SSH port opened via iptables, it is possible for others to run a brute
force ssh attack.
Version-Release number of selected component (if applicable):
Always on any internet accessible machine
Steps to Reproduce:
1. Open SSH port via iptables or system-config-securitylevel
Logs reveal repeated and constant attempts to login to SSH using common
usernames and passwords
Allow users in system-config-securitylevel to enable throttling on the SSH port
to discourage repeated attempts. See :
http://la-samhna.de/library/brutessh.html#3 for more details.
Ideally this functionality could be easily exposed as well as having the
There will be a new firewall configuration tool for Fedora, soon. Mechanisms
like this are on the todo list.
Assigning to system-config-firewall in devel.
Adding FutureFeature keyword to RFE's.
The ability to block hosts which repeatedly fail to login is provided by the denyhosts package. Should this RFE remain open?
denyhosts certainly does the job but I think a GUI to enabled denyhosts and to change the config in system-config-firewall or its replacement is necessary to help expose this functionality.
Is there any chance that denyhosts (with fairly lax restrictions) would be considered to be enabled on default installs? I can't think of a valid use case where an IP should continually bang on a server with bad passwords.
Closing because there will not be big changes to system-config-firewall anymore.