On Jun 4, 2009, at 6:16 AM, henry ritzlmayr wrote:
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries.
With v1.2+ the login failure delay grows after each failed login.
If I enable auth_verbose every attempt gets logged, but if I read the docs correctly this option should only be used for figuring out why authentication isn't working.
auth_debug is for figuring out why it's not working. auth_verbose is
useful if you actually care about logging that information. I guess in
your case you would care.
Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it?
I think the growing delay is a better idea.