On 2015-02-03, Markus <markus.scharitzer at gmail.com> wrote: > On 2015-02-03 22:22, Always Learning wrote: >> >> (1) When external access gets a password wrong 'n' occasions, as >> determined by the SysAdmin, the external IP address is automatically >> permanently blocked unless that IP is included in a IP Tables 'allow' >> table. >> >> (2) If specifically allowed in IP Tables, that IP be blocked for 'm' >> minutes, as determined by the SysAdmin, before another attempt can be >> made. >> >> (3) All sensitive users be added to a special group. Limit the >> membership of that group to a collective maximum of 'n' SysAdmin chosen >> wrong password attempts within a time interval of 't' chosen by the >> SysAdmin. > > I am maybe mislead, but I thought that is exactly what fail2ban[1] would > do and this is already a few years out. Also it is ,if I remember > correctly, in epel. sshguard can also do this (not sure if it's in EPEL or another common repo). http://www.sshguard.net More paranoid sysadmins simply disable all password logins and make users use ssh keys instead. --keith -- kkeller at wombat.san-francisco.ca.us