"The question before the house" should
"Why did you allow(?!?!) 'anyone on earth' to see a login: prompt, in the first place?"
No one should be allowed to get that far, unless they have already passed a very-considerable gantlet which has nothing
to do with "a password."
As I discuss in my blog post, How To Build A 'Dwarvish Door' with OpenVPN
, every one of your systems should present "a smooth, featureless(!)
wall" to the outside world. To any and every "port scanner" or "script kiddie," there should be nothing(!) there
except (say ...) http
. (These being the only ports that you intend for outsiders to routinely access.)
It should not even be evident that there exists,
in fact, a third
alternative: OpenVPN. Thanks to the tls-auth
feature, the existence
of an OpenVPN server should not even be visible, unless one should possess
an initial 1024-bit cryptographic key that will "cause a keyhole to appear." Having "found the keyhole," the only possible way forward should be to possess
a 4096-bit one-of-a-kind cryptographic key.
Only then should you first encounter ssh
, which then demands, not
a password, but yet-another cryptographic key. (The visitor is never once given the opportunity to enter a "login password.")
Yep, if anyone shows up inside the courtyard, having passed through both of these safeguards, you can welcome him or her as "an old friend," because you fairly-well know already who they must
be. After all, s/he must have been in possession of three
one-of-a-kind, not-revoked digital credentials! Since the credentials are "one of a kind," you already know with very-great certainty exactly who this visitor is.
(And, should the visitor turn out to be an imposter, you can swiftly and decisively react by revoking this
visitor's credentials. Instantly, this
visitor is shut-out, while no other authorized
visitor is even inconvenienced.)
"Thousands of attempts?'
Uh uh. How about, "zero?"