On Mon, Jul 27, 2015 at 8:43 PM, Lars Seipel <lars.seipel(a)gmail.com> wrote:
On Mon, Jul 27, 2015 at 11:19:41AM -0600, Chris Murphy wrote:
> Why is password quality being targeted rather than the number of ssh
> attempts being set to e.g. 3 per minute, by default? And does this
> sufficiently mitigate the concern, and if not, why not?
Restricting login attempts means that now even the most naïve kind of
attack can lock me out of my machine. You know, the really stupid
attacks that rain down on almost any internet host in gigantic numbers
but are effectively countered by using anything but the most trivial of
passwords.
Not if you apply the limit per IP (of the client).