On 2015-02-03, Markus markus.scharitzer@gmail.com wrote:
On 2015-02-03 22:22, Always Learning wrote:
(1) When external access gets a password wrong 'n' occasions, as determined by the SysAdmin, the external IP address is automatically permanently blocked unless that IP is included in a IP Tables 'allow' table.
(2) If specifically allowed in IP Tables, that IP be blocked for 'm' minutes, as determined by the SysAdmin, before another attempt can be made.
(3) All sensitive users be added to a special group. Limit the membership of that group to a collective maximum of 'n' SysAdmin chosen wrong password attempts within a time interval of 't' chosen by the SysAdmin.
I am maybe mislead, but I thought that is exactly what fail2ban[1] would do and this is already a few years out. Also it is ,if I remember correctly, in epel.
sshguard can also do this (not sure if it's in EPEL or another common repo).
More paranoid sysadmins simply disable all password logins and make users use ssh keys instead.
--keith