derek at pointerstop.ca
Wed Jan 14 18:26:26 UTC 2009
> On Wed, Jan 14, 2009 at 4:24 PM, Derek Broughton
> <derek at pointerstop.ca>wrote:
>> Res is right about the
>> users who forget their passwords - you need to have a simple procedure
>> for unbanning their IP at the same time as you reset their password (and
>> remember, if they're using dynamic IPs, you may have already banned a
>> of different addresses by the time they ask for a password reset - what
>> do you do when a week later the user can't get in because he's been given
>> the IP that is still banned).
> The answer to that is straight out of the Denyhosts config file. And
> there is more but you get the idea.
Of course - I wasn't trying to suggest it's difficult, merely that if you are
using something like fail2ban you need to be aware of how it's working, what
it's doing and _establish_ a policy to ensure you don't get into a bind when
idiot-end-users get locked out of the system.
In my hypothetical case, suppose you've set up the Denyhosts to expire a ban
after two days, and when the user contacted you you reset both his password
and the ban for the IP address he's using right then, but the next day he's
coming in on the address that he got banned a few hours earlier. Probably
telling him "you'll be able to access the system tomorrow" won't be good
That said, I _would_ use fail2ban as part of an overall security strategy.
More information about the ubuntu-users