Matt Peter wrote: > I'm receiving a few hundred failed ssh login attempts per day. I'm not > worried about it, since they appear automated and ssh is locked down > appropriately. I'd like to be able to IP ban these connections after a > set number of failed login attempts.
Having personally experienced being locked out of systems because of
admins that have set up such things let me say that setting up
blocking because of failed logins is a Bad Thing. The reasons can be
simply that someone on the system with an id near yours misspells it a
lot and therefore always locks out the legitimate user. Or it could
be that you don't like someone and so intentionally lock them out of
their accounts out of spite. Regardless, it trivially leads to a
denial of service attack against valid users.
The usual way to handle this for people who insist upon doing
something about it is to rate limit the login attempts. Requiring a
small number of seconds between login attempts is sufficient to
prevent brute force attacks but still allow valid users to log into
the system.
Of course you suggestion to put this on a non-standard port leads me
to believe this is just for you and no one else though so that might
be fine in that case.
Personally I would just ignore it in the logs.
> I'd rather not put ssh on a nonstandard port since I'd need to
> specify it on the cli every time I ssh (right?).
You can easily specify the port number in your ~/.ssh/config file.
Host myhost
Port 2222
Bob
signature.asc
Description: Digital signature
