On 2015-02-03 22:22, Always Learning wrote: > > On Tue, 2015-02-03 at 15:51 -0500, Jonathan Billings wrote: > >> Also, it isn't up to the *installer* to set up a system that resists >> brute-force password attacks. > > Give us the tools to do the job ! > > My amalgamated idea is:- > > (1) When external access gets a password wrong 'n' occasions, as > determined by the SysAdmin, the external IP address is automatically > permanently blocked unless that IP is included in a IP Tables 'allow' > table. > > (2) If specifically allowed in IP Tables, that IP be blocked for 'm' > minutes, as determined by the SysAdmin, before another attempt can be > made. > > (3) All sensitive users be added to a special group. Limit the > membership of that group to a collective maximum of 'n' SysAdmin chosen > wrong password attempts within a time interval of 't' chosen by the > SysAdmin. > > Baffled why it has never been done but then I'm Always Learning. > > > I am maybe mislead, but I thought that is exactly what fail2ban[1] would do and this is already a few years out. Also it is ,if I remember correctly, in epel. Regards, Markus [1] http://www.fail2ban.org/wiki/index.php/Main_Page