Blacklistd looks like a great idea but I checked out the syntax in blacklistd.conf and I think it could use some work.
I could see lots of admins getting bitten by "nfail=*" meaning never. To me, that name or a '*' isn't the right choice. Security config files absolutely must be unambiguous to people aren't going to read the manual. Cron has a similar syntax and I've seen several cases were a simple change to a crontab resulted in a 5 star screwup that ran something 1440 times a day.
blacklistd.conf? (Score:2)
Blacklistd looks like a great idea but I checked out the syntax in blacklistd.conf and I think it could use some work.
I could see lots of admins getting bitten by "nfail=*" meaning never. To me, that name or a '*' isn't the right choice. Security config files absolutely must be unambiguous to people aren't going to read the manual. Cron has a similar syntax and I've seen several cases were a simple change to a crontab resulted in a 5 star screwup that ran something 1440 times a day.
Re: (Score:2)
Security config files absolutely must be unambiguous to people aren't going to read the manual.
People who aren't going to read the manual are unlikely to get their security right, blacklistd or not.
Security-aware admins do read the manual.
Cron [...] 5 star screwup
Well put