[CentOS] Another Fedora decision

Tue Feb 3 22:39:12 UTC 2015
Keith Keller <kkeller at wombat.san-francisco.ca.us>

On 2015-02-03, Markus <markus.scharitzer at gmail.com> wrote:
> On 2015-02-03 22:22, Always Learning wrote:
>> 
>> (1)  When external access gets a password wrong 'n' occasions, as
>> determined by the SysAdmin, the external IP address is automatically
>> permanently blocked unless that IP is included in a IP Tables 'allow'
>> table.
>> 
>> (2) If specifically allowed in IP Tables, that IP be blocked for 'm'
>> minutes, as determined by the SysAdmin, before another attempt can be
>> made.
>> 
>> (3)  All sensitive users be added to a special group. Limit the
>> membership of that group to a collective maximum of 'n' SysAdmin chosen
>> wrong password attempts within a time interval of 't' chosen by the
>> SysAdmin.
>
> I am maybe mislead, but I thought that is exactly what fail2ban[1] would
> do and this is already a few years out. Also it is ,if I remember
> correctly, in epel.

sshguard can also do this (not sure if it's in EPEL or another common
repo).

http://www.sshguard.net

More paranoid sysadmins simply disable all password logins and make
users use ssh keys instead.

--keith

-- 
kkeller at wombat.san-francisco.ca.us