What are good ways to accomplish this? I wrote my own script to do this years ago, but I'm now investigating if there is a better "standard" method.

My SSHD setup only allows pubkey authentication. No other methods. So I have in my sshd_config (partial listing of the contents):
I am no expert on PAM (far from it!), but can I still use pam_faillock to lockout accounts given the above? I'm not sure because both PasswordAuthentication and ChallengeResponseAuthentication are set to no, and I'm not sure PAM has any knowledge of PubkeyAuthentication.

But what I really want to do is lockout the incoming IP address that is trying to authenticate (not the user account) after 3 failed authentication attempts, but then automatically restore the ability of that IP to attempt to login after one hour. I don't know if PAM can lockout IPs (as opposed to accounts), nor do I know if it can automatically unlock them after a set length of time. So PAM may not be the answer. PAM is quite complex and I just have never taken the time to learn it other than a basic understanding of some of the simpler things it can do.

Anyway, this is not urgent since I have a script (actually, a set of scripts) that does all this already. I'm just wondering if there is a more standard method than my homegrown one.

I would, quite frankly, avoid the situation entirely: use digital certificates with ssh, and prohibit the use of password login.

If you are a possessor of the specified key (and passphrase), then you can log in without further ado: no password prompt is required, because the credentials you have presented are far stronger than any "magic word." If the key is compromised, simply invalidate the key.

It's senseless to allow anyone on the Internet to "present a password" to your system.

They can't present a password to my system, since it only allows pubkey authentication. So I'm covered there.

But I like multiple layers of security. While allowing only one single user (me!) access to the system (via AllowUsers in sshd_config), and only allowing pubkey authentication, I think the system is already pretty secure. I have no other tcp LISTEN'ers running, except for CUPS, and that is only on the localhost adapter. But this SSHD setup is only ONE layer - all based on the sshd_config file. As another layer, locking out IPs that fail to authenticate just provides that much more protection. Say if I were to somehow accidently screw up my sshd_config file during editing one day, this extra layer of IP lockout might save my butt.

I thought fail2ban did this?

Thanks! Now that you mention it, I have heard of Fail2Ban before. I googled it, found a Wiki page, and that page also had a link to another similar program, DenyHosts.

I am researching these two now. They appear similar to my homegrown scripting, except they appear to parse logfiles to determine failed login attempts whereas my homegrown thing integrates with SSH in realtime (using linkage via /etc/ssh/sshrc). Don't know which method is better, but I'll do some research on these alternate programs. Thanks again.

Glad to remind you. If you come up with any scripts like fail2ban I'd be happy to test them though I only have virtual servers with limited exposure.

You don't need to test, but since you expressed some interest, below is my "homegrown method" that I posted about years ago. Still works fine, I was just researching to see if someone came up with a better way since then. Generally, a "standard" program would be preferable to my homegrown method. But I guess every program is initially a "homegrown method".

http://www.linuxquestions.org/questi...6/#post2290296

BTW, subsequent to the above post describing my method, I implemented a simple cron job to clear out IP addresses that had been banned after a certain length of time. That cron job just edited /etc/hosts.allow and removed dated entries.

Depending on your circumstance, you REALLY don't want to do that.

Especially if you support multiple users.

You could get many connection attempts from one system, each from a different user. Locking out that system would lock out all users, even those that have not had a failure...

It could even be a DOS..

The technique is fairly useful for web servers as the connecting host will most often be a single system. But a generic service like ssh is used for copying files from server to server, remote backups, and even distributed computation.

Denying access to a workstation due to a user error would also block system backups done by a different account...

What I use this for is restricting access to my home computer, which has one user - me - and I only want one user from the outside world - me (when I'm not at home) - to be able to get in.

On the multiple user computers I manage at work, yes, I agree with you, this would be totally inappropriate. It's good that you brought up this point, since I failed to mention my unique "one user" scenario in my initial post. Thanks.

Incidentally, if you want to lock out accts (as opposed to IPs), see pam_tally.