I have a question about a behavior I’m getting right now when logging in via SSH. Right after installing I start up sshd and if I login via SSH it freezes after five failed attempts, and then if I try to connect to the server again it will not even connect and just times out. This is great, but where is it blocking the additional attempts to connect? If I restart the machine and restart sshd it will allow me to connect to the login prompt again, but I’d like to know where I can remove the block without restarting in the event I have to in the future.
I don’t see anything in the PAM directories that indicates the issue. There doesn’t even appear to be a deny statement for a certain number of login attempts. Does anyone know where I could find and unblock whatever is blocking my ability to connect after 5 unsuccessful attempts?
I’m answering my own question in case anyone else runs into this. This is a result of tallow writing an IPTables rule that excludes basically all external connections after 3 failed re-login attempts. Once this rule is written into ipset it lasts for 3600 seconds by default and you will then be able to attempt a login again.
To see if your IP is blocked: # ipset list tallow
To unblock your IP: # ipset del tallow [IP ADDRESS]
Note, you can whitelist addresses in tallow.conf to avoid it. Read man tallow.conf. Also, by default, tallow doesn’t block local lan address families (e.g. 192.168/16 and 10/8 etc.)