blacklist hosts after 3 wrong password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Confirmed
|
Wishlist
|
Rick Clark |
Bug Description
I don't install sshd on my system because I'm afraid of people brute force cracking my password, like in bug #58074.
my password is weak, because it's the password I use to login on my computer and I must remember it. I didn't find a way to set another password for ssh than my password on the computer.
I think that ssh should have an option, enabled by default, to blacklist hosts if they enter more than 3 times in a row the wrong password. It should be easy to re-enable their connection by modifying eg /etc/sshd/
and when a host is blacklisted, it should be logged so that the user can diagnose how come the remote SSH is no longer working. blacklist entries could expire after 3 months for instance (to avoid ever-growing blacklist files).
I think I read somewhere that it works like that on Mac. certainly I don't see a big flaw in this approach and it would be much more secure than the current approach.
Changed in openssh: | |
importance: | Undecided → Wishlist |
Changed in pam: | |
assignee: | nobody → dendrobates |
status: | New → Confirmed |
You can achieve roughly the same thing already using the "fail2ban" package, which adds temporary iptables rules when it sees enough failed attempts on ssh (and other services).