Originally Posted by babysparrow
Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?
There are a few ways. Assuming you are either the only one who logs in, or you have a small group, briefly:
> MaxAuthTries 1
> PasswordAuthentication no
(a) will reduce the number of attempts that the brute machine can make on any single connection attempt.
(b) will force the client (you) to use public-key authentication and will automatically deny the user access if he doesn't have a valid public key. There's a how-to here for that.
Then, probably the best for your situation
> HostbasedAuthentication yes
Check the manpage for that last one. Basically it will only even bother to try to get credentials from a user who is connecting from a particular set of pre-defined hosts and drop everyone else.
There are also firewall rules you can implement for this that will limit the number of attempts on a given port in a given amount of time. If you set something like -m limit --limit 5/m --limit-burst 5 -j REJECT
you're telling the firewall to reject the packet if more than 5 per minute come in. You'd have to set a really long interval like this for it to make any difference. BUT you probably don't want to do that! Why? Well, what if YOU try to log in once the limit is reached? You won't be able to until the firewall timer has expired. Now, what if your attacker continues his attack for hours? You can't log in until he finishes his attack, which, if it's brute-force automated set-then-go-to-bed, it could be hours. If it's from Sing., like mine all have been, he'll be sleeping while you're on the clock at work. Not a good combo.