On 2017-10-30, Gregory Edigarov <ediga...@qarea.com> wrote: > On 29.10.17 03:20, x9p wrote: >> >> Coming from the Linux world, I wonder if there is a better alternative >> to fail2ban, already being used in OpenBSD servers by the majority. >> > I suggest you NEVER use such "solutions". It's security by obscurity > model, and therefore a bad very very bad thing. > You'd be much safer completely turning off password authentication, > using keys instead.
If someone is pushing a lot of auth attempts, they can be consuming meaningful amounts of cpu. (They're usually too quick to show up in top). So restricting it can be useful from that point of view. Myself, I normally restrict ssh to connecting from a predefined list of IPs though ...
