Of course, dictionary or random attacks will be drastically hampered if you limit how often they can fail. 3 failures or so causes a lockout for some hours is the usual. Failed attempts can constitute a denial of service attack under some circumstances though due to network chatter.
On 3/2/21, Luke Kenneth Casson Leighton <l...@lkcl.net> wrote: > On Tue, Mar 2, 2021 at 9:51 AM <oreg...@disroot.org> wrote: > >> Considering running a freedom box or similar, I have a RPi running Buster >> outside my home router's DMZ. It was discovered within a short time >> (minutes or hours) of first being setup. > > ahh yes. welcome to the discovery that there are people running > extremely sophisticated long-running break-in attempts, world-wide. > >> It now has fail2ban running with defaults. Over about the last month, >> fail2ban logs show about 35,000 "unbans" from about 3700 unique IPs. > > if you want to do something "gradual", use fail2ban recidive. > > i decided 3 years ago that enough was enough, and simply set all and > any failed password attempts at an instant 2 week ban. by running > OpenVPN i can at least get in if i happen to make a mistake. > > l. > > -- ------------- Education is contagious.
