JohnB If the firewall management API will allow "add $IP to deny for $service on $server" then hopefully we can also say "add $IP to deny for $service on $server and allow $user to remove". We can then have a log monitor on ssh, if we see an IP trying to brute force multiple users we can call the API via an action.d to add a global ban for 24 hours, if we see an IP trying to brute force a specific user we can call the API via an action.d to add a global ban for 24 hours and allow the $user to remove it without waiting 24 hours. This granularity giving the users the ability to remove will allow us to be more aggressive. The alternative is to make the firewall deny all to a service by default and then allow to the user to allow specific IP globally, but some people are on frequently changing IP and won't like it and can't always VPN to get around it.
