Not necessarily, I've seen both - where an IP did try just 2 or 3On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
> On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
> > rate limiting and denyhosts have no impact what so ever when the attacker
> > has a botnet to his disposal
> Large botnet means that the attack is targeted. I do not think we can
> prevent targeted attack against weak password in the default
> configuration. What we should aim at is prevention of non-targeted
> attacks such as attacks you can see when you open ssh port on a public
> IP almost immediately. These attacks usually come from single IP
password/user combinations and ones that did try dozens.
Having access to botnet is not uncommon or expensive, making it possible for
"bored student" kind of targeted attacks. You can do low level of such an
attack with just EC2.
I'm not saying that we shouldn't have rate limiting, but it shouldn't be the
only thing above simple dictionary check.