I manage a small FreeIPA domain that has one server that can be accessed 
through ssh from the internet. I occasionally find that the admin account is 
locked, when I try to log in to the FreeIPA admin interface (not available from 
the Internet), and it seems that this is due to an endless stream of incoming 
ssh authentication attempts for common names like "root" and "admin", and in 
the latter case, the authentication is forwarded to the FreeIPA server (since 
the user exists in the directory, I suppose), and the account gets locked out 
temporarily now and then due to too many failed attempts. Now, admin is not 
actually supposed to be able to login through ssh (or as a POSIX account in 
general), so I have tried to add:
     DenyUsers  admin
to sshd_config on that server to filter out these attempts, but it seems (as 
far as I can see in the logs) that the authentication is still tried against 
the FreeIPA server, before it gets blocked by sshd. What is the best way to 
prevent the evil bots of the Internet from locking out my admin account?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to