Fail2Ban makes already a good work by warning a admin on receiving failed logins-try notifications and banning IPs. This difficults a hack, but not makes it impossible.
A possible indication of a successfull hack is a succesfull login from an untrusted host or untrusted network. In this case it would be somthing like a "last alert" for the admin that something is maybe wrong. Trusted host/networks are probably in most cases those that already are ignored.
In my case, I only login using a passfrase with pub/priv.key (ssh). If someone successfull logins without it, it would also be an indication.
Log in to post a comment.