On Tue, 2015-02-03 at 14:48 -0600, Les Mikesell wrote: > On Tue, Feb 3, 2015 at 2:44 PM, Always Learning <centos at u64.u22.net> wrote: > > > > There should be a basic defence that when the password is wrong 'n' > > occasions the IP address is blocked automatically and permanently unless > > it is specifically allowed in IP Tables. > > The people who are good at this will make the attempts from many > different IPs - and sometimes cycle through a dictionary of different > login names too. If 'n' is low, perhaps '2', then brute forcing will become more protracted. An addition to my proposal, is allocate all sensitive users to a special group and limit the membership of that group to a maximum of, for example, 3 wrong password attempts within a SysAdmin chosen time interval. Simple. -- Regards, Paul. England, EU. Je suis Charlie.