Is there any limit to the number of SSH login attempts? Is there any limit to the number of SSH login attempts in Debian 9? For example, assuming that my SSH server can respond within 100 ms, then theoretically someb...--prophetes.ai

Is there any limit to the number of SSH login attempts? Is there any limit to the number of SSH login attempts in Debian 9? For example, assuming that my SSH server can respond within 100 ms, then theoretically somebody could try one user/pw combination every 100 ms, or 10 per second, 600 per minute, 36,000 per hour. This is obviously not enough to crack the typical password, but could fill up logs in an annoying way. Is there any mechanism to thwart this kind of probing? (Note: I do not consider using PAM user try denials to be relevant here, because that is username specific. An automated script will not try the same username over and over, but will cycle usernames to avoid tripping the PAM count.)

Yes. Manual page for `ssh_config` specifies:

> `MaxAuthTries`
>
> Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.

This is for single connection, that usually takes around a second (algorithm negotiation, key exchange).

For public facing ssh server, it is wise to set up something to avoid this, generally fail2ban is very common and useful technique -- for several failed attempts, it bans temporarily the source IP so unless attacker has a large botnet of IPs, he is out of luck with several attempts per several hours.