[bioneuralnet]

If you can't prevent some users from having passwords, it's a decent, low-effort way to discourage intrusion attempts. One place it DOESN'T necessarily work great is in k8s.

A few years ago I had to migrate an ancient VM running OpenSSH (for SFTP only) to our k8s cluster. 99% of the users had passwords instead of keys. Easy enough to run sshd in a container with a mounted volume, but I wanted something to recognize and block repeated bad login attempts (the old VM had no such protections).

sshd doesn't do it natively, fail2ban wasn't a good option since you generally don't want a pod messing with a k8 node's iptables. What I ended up with was a Ruby script with 3 threads: One to monitor the auth log for failed logins, a second to lock accounts with repeated failures during a given window, and a third to unlock them after some period (and in the darkness bind them). Definitely some caveats in there, but it was an improvement over the status quo.