On Sunday, April 03, 2011 12:17:55 pm Lamont Granquist wrote: > you can already use fail2ban to accomplish this kind of thing. > > the original idea i think is somewhat terrible in a multi-user > enterprise-y kind of environment since you'll wind up telling users that > they have to wait 2 seconds before entering their passphrase > constantly. for your home server it might work, but you can always > setup public keys or OTP pretty easily as well, in addition to fail2ban. > > you can also use pam_tally to only allow 6 failed passwords in a row > before locking the account. i run the cronjob to unlock all the > accounts every 30 mins or so, which only allows a velocity of 12 guess > per hour on a single account, while not requiring users with locked > accounts to call up a helpdesk. > I've had good experiences with bfd[1] which scans logs for invalid login attempts per user, after X attempts, the ip is banned. The length of the ban is variable (30 minutes was good enough to stop repeated attacks). Bonus, it kept the logs clean. Mike http://www.rfxn.com/projects/brute-force-detection/ -- To the systems programmer, users and applications serve only to provide a test load.
