Hi, I encountered multiple times that debian based containers use fail2ban by default with a max attempt value of 5, even for SSH logins using strong asymmetric keys.
(Again I just got locked out for 1h (fortunately a container, so I can access anyway). Do you know what happened? My SSH key agent asked whether to allow the key signing request, I accidentally said No, skipped the password queries by pressing enter and tried again and it timed out (according to my count that were 4 failures, but fail2ban banned my IP and config file said it would ban after 5). Maybe I should be glad that the default action is just 1hr ban, and not to secure-erase rootfs and brick the main board (*).) I would like to understand how it was possible to get such default values. They are good to help to implement denial of service attacks, but not suited for production. Does anybody really think it is of any help to limit strong pub key authentication after 5 tries? Ohh, and my connection is from the LAN. I don't know if this is a debian default. Any hints (links) why this is included at all and where the defaults come from appreciated! Steffen (*) I know I should be careful with such jokes, as someone might like and implement it. Activated by default, of course.
