Time to add exponential backoff for SSH interactive login failures?
Jay Libove
libove at felines.org
Wed Dec 15 23:42:54 EST 2004
With the growing number of username/password pairs being tried by the low
level SSH attack which we've all seen in the past few months (I am now
seeing some series of attempted logins through SSH which try fifty-plus
different IDs, some with more than one password; I've seen 60 hits on
"root" in a row), I propose that it is time to add exponential backoff for
SSH interactive login failures.
Configurably in 'sshd_config' and/or on the sshd command line, a new
option would set the delay suffered after the first failed login on a
given connection before the next prompt would appear, along with the
multiplier for subsequent delays.
e.g. 'sshd -eat_this_delay_you_attackers 5 2'
.. would result in an SSH daemon running where an attacker would
experience a five second delay after the first failed interactive login
attempt before the next password prompt came up, then a ten second delay
after the second, a twenty second delay after the third, &etc up until the
existing authentication timeout value is reached and the connection is
closed.
This would reduce the effectiveness of any kind of brute force attack
against SSH, and would reduce the impact on our systems by slowing the
number of authentication attempts per unit time.
Discussion, pros/cons?
Thanks
-Jay Libove, CISSP
libove at felines.org
Atlanta, GA, US
More information about the openssh-unix-dev
mailing list