On Debian stable I find that if I fat-finger the password while trying to SSH into another Debian box that I am completely locked out of that machine for a period, maybe 5-10 minutes. That means that I can not ping the computer I am attempting to ssh in to, the terminal tab that I am attempting to log in from is frozen, and far and away most annoyingly, any mounted samba shares from the server lock up and the machine I am attempting to log in from basically becomes unresponsive until I force dismounting the samba share. This seems a rather extreme penalty for a single failed attempt to login to ssh. If this happened after 3 failed ssh password attempts, fine, you want to prevent brute-force logins. But a single mucked up password on a home system behind a router's firewall?
I've looked at the files in /etc/ssh & /etc/pam.d and messed with the man pages for ssh, ssh_config, & sshd_config & did a web search and a cursory search of this august forum and all I got was a sore noggin. I suspect this is some sort of PAM setting?
Can someone please belt me with a clue-stick?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
SOLVED: 1 failed ssh password attempt locks all access
Re: SOLVED: 1 failed ssh password attempt locks all access
Thanks muchly, reinob, that was the belt up-side the head that I needed.
I didn't have fail2ban, but did have sshguard installed. I just added the IP addresses of my other computers to the file /etc/sshguard/whitelist and I could merrily mistype my password without being locked out for 2 minutes. I wasn't being locked out for 5-10 minutes, it only felt that way; according to /etc/sshguard/sshguard.conf
BLOCK_TIME=120
Incidentally, the freezes were on my local file & web server in the attic. I'd changed the operating system from Ubuntu LTS to Debian recently when I borked an update after being too lusty removing no-longer supported i386 packages while trying to upgrade to focal fossa and my ssh keys were not the same, so every time I tried to SSH to the box from a different client I would get the standard message:That was enough to trigger the time-out even if I removed the offending key from my ~/.ssh/known_hosts file immediately and tried SSHing in again.
I didn't have fail2ban, but did have sshguard installed. I just added the IP addresses of my other computers to the file /etc/sshguard/whitelist and I could merrily mistype my password without being locked out for 2 minutes. I wasn't being locked out for 5-10 minutes, it only felt that way; according to /etc/sshguard/sshguard.conf
BLOCK_TIME=120
Incidentally, the freezes were on my local file & web server in the attic. I'd changed the operating system from Ubuntu LTS to Debian recently when I borked an update after being too lusty removing no-longer supported i386 packages while trying to upgrade to focal fossa and my ssh keys were not the same, so every time I tried to SSH to the box from a different client I would get the standard message:
Code: Select all
[user@hostname ~]$ ssh root@pong
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6e:45:f9:a8:af:38:3d:a1:a5:c7:76:1d:02:f8:77:00.
Please contact your system administrator.
Add correct host key in /home/hostname /.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:4
RSA host key for pong has changed and you have requested strict checking.
Host key verification failed.