Throttle accounts after failed SSH login attempts I have to set up a server that will allow remote logins. Obviously security is an issue. In this first pass we are discussing:- 1. Locking a person for 15 minutes i...--prophetes.ai

Throttle accounts after failed SSH login attempts I have to set up a server that will allow remote logins. Obviously security is an issue. In this first pass we are discussing:- 1. Locking a person for 15 minutes if they fail to login correctly three times in succession over a five minute period. 2. Locking them out totally and making them reset their password if they fail to login correctly, say, a dozen times in succession in any one 24 hour period. Are there any guidelines or best practices around? A search on the Internet suggests that there is a lack of guidelines on this.

You use DenyHOSTS. From the blurp on their webpage:

> enyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
>
> If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
>
> DenyHosts attempts to address the above... and more.

The more includes recording of all failed attempt for a user and offending host, and when a host reaches a certain threshold, blacklisting that host.