[CentOS] Another Fedora decision
Keith Keller
kkeller at wombat.san-francisco.ca.us
Tue Feb 3 22:39:12 UTC 2015
On 2015-02-03, Markus <markus.scharitzer at gmail.com> wrote:
> On 2015-02-03 22:22, Always Learning wrote:
>>
>> (1) When external access gets a password wrong 'n' occasions, as
>> determined by the SysAdmin, the external IP address is automatically
>> permanently blocked unless that IP is included in a IP Tables 'allow'
>> table.
>>
>> (2) If specifically allowed in IP Tables, that IP be blocked for 'm'
>> minutes, as determined by the SysAdmin, before another attempt can be
>> made.
>>
>> (3) All sensitive users be added to a special group. Limit the
>> membership of that group to a collective maximum of 'n' SysAdmin chosen
>> wrong password attempts within a time interval of 't' chosen by the
>> SysAdmin.
>
> I am maybe mislead, but I thought that is exactly what fail2ban[1] would
> do and this is already a few years out. Also it is ,if I remember
> correctly, in epel.
sshguard can also do this (not sure if it's in EPEL or another common
repo).
http://www.sshguard.net
More paranoid sysadmins simply disable all password logins and make
users use ssh keys instead.
--keith
--
kkeller at wombat.san-francisco.ca.us
More information about the CentOS
mailing list