On Tue, 2015-02-03 at 14:48 -0600, Les Mikesell wrote:
On Tue, Feb 3, 2015 at 2:44 PM, Always Learning centos@u64.u22.net wrote:
There should be a basic defence that when the password is wrong 'n' occasions the IP address is blocked automatically and permanently unless it is specifically allowed in IP Tables.
The people who are good at this will make the attempts from many different IPs - and sometimes cycle through a dictionary of different login names too.
If 'n' is low, perhaps '2', then brute forcing will become more protracted.
An addition to my proposal, is allocate all sensitive users to a special group and limit the membership of that group to a maximum of, for example, 3 wrong password attempts within a SysAdmin chosen time interval.
Simple.