Time to add exponential backoff for SSH interactive login failures?
Jim Knoble
jmknoble at pobox.com
Fri Dec 17 00:59:58 EST 2004
Circa 2004-12-16 16:23:25 +1100 dixit Damien Miller:
: Jay Libove wrote:
: > [...] I propose that it is time to add exponential backoff for
: > SSH interactive login failures.
:
: If you raise the cost of subsequent password attempts much, then it
: will be cheaper for an attacker to make multiple connections instead.
Combining exponential backoff on login failures with tarpitting for
hosts that have too many connections during a given interval could
reduce the effectiveness of password guessing regardless of how many
connections were made, unless the attacker performed a distributed
attack (against which sshd is currently defenseless anyway).
: I am surprised that these trivial password guessing worms are working
: at all - it is amazing that people have learned so little in the last
: 20 years.
Folks still write passwords on sticky notes attached to their monitor,
send them via cleartext email messages, and satisfy the "must contain at
least on number" requirement with the string "123". I'm a little
surprised that the worms aren't more effective than they are....
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
.....................................................................
:"The methods now being used to merchandise the political candidate :
: as though he were a deodorant positively guarantee the electorate :
: against ever hearing the truth about anything." --Aldous Huxley :
:...................................................................:
More information about the openssh-unix-dev
mailing list