[Bug 1049] Variable delay in password logins to fight dictionary attacks

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=1049

           Summary: Variable delay in password logins to fight dictionary
                    attacks
           Product: Portable OpenSSH
           Version: 3.8.1p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: heikki at indexdata.dk


I have seen many dictionary attacks on my ssh servers. I was thinking of a simple way to slow 
them down: Add a small delay to the login. Start with a half second, and double every time a 
password-based (or other) login fails from the same IP address, up to some limit. 
 
This requires keeping a small array in memory, with each IP address that has recently failed 
to log in, delay time, and a time stamp when a login from them will be allowed again. 
 
In a similar way, it should be possible to keep a time-out for each username, again doubling it. 
At a login, take the greater of the two delays.  
 
Both tables can be limited to (say) 10000 entries, and if they flow over, discard oldest entries. 
Actually, this could also be used for logins that do not try passwords, in case someone tries to 
brute-force something else... 
 
Possibly this is a well-known theory, and there is a well-known reason not to use it. If so, I'd 
like to hear about it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.