If you want to be extra paranoid, hide your open ports with port knocking and have your clients run from a script that knocks the proper sequence before making the connection :-)
Jay On Feb 5, 2013, at 19:10, Jérémie Marguerie <jere...@marguerie.org> wrote: > Le 5 févr. 2013 23:03, "Bartek Krajnik" <bar...@bmk-it.com> a écrit : > > > > Hi, > > For ssh login attempts you can use program authfail (after 4 wrong login > > attempts it adds proper IP to netfilter with DROP rule sending notification > > to IP class owner from whois database). > > It sounds a bit overkill. > Am I the only one sometimes typing my password incorrectly because I forgot > it? > > Fail2ban does pretty much the same job but only ban for a few minutes. It's > just a way to slow down bruteforce. Having 20 guesses per 10 minutes makes a > bruteforce useless if the passwords are decent. > > And it will not annoy too much your users but will annoy stupid bots. > > -- > Jérémie Marguerie
