I’ve run into an interesting problem on an externally facing server that excepts password based authentication.
The server is running Centos 7.7
If a user tried to login with a password via SSH, and types in a bad password Duo still pushes out a notification prompt to the end user. If the user accepts the prompt they are then prompted for the password again (followed by another Duo push)
Is there a way to get this so Duo only pushes on a successful password entry? This server gets quite a few password scans run against it, and even with fail2ban the users sill get several pushes that don’t need to happen before the scanning IP is banned.