Time to add exponential backoff for SSH interactive login failures?

[Anthony Iano-Fletcher]

Hello Jay

This sounds like an excellent idea.

		Anthony

On 15 Dec 2004 at 07:42:54, Jay Libove wrote:
> With the growing number of username/password pairs being tried by the low
> level SSH attack which we've all seen in the past few months (I am now
> seeing some series of attempted logins through SSH which try fifty-plus
> different IDs, some with more than one password; I've seen 60 hits on
> "root" in a row), I propose that it is time to add exponential backoff for
> SSH interactive login failures.
> 
> Configurably in 'sshd_config' and/or on the sshd command line, a new
> option would set the delay suffered after the first failed login on a
> given connection before the next prompt would appear, along with the
> multiplier for subsequent delays.
> 
> e.g. 'sshd -eat_this_delay_you_attackers 5 2'
> 
>  .. would result in an SSH daemon running where an attacker would
> experience a five second delay after the first failed interactive login
> attempt before the next password prompt came up, then a ten second delay
> after the second, a twenty second delay after the third, &etc up until the
> existing authentication timeout value is reached and the connection is
> closed.
> 
> This would reduce the effectiveness of any kind of brute force attack
> against SSH, and would reduce the impact on our systems by slowing the
> number of authentication attempts per unit time.
> 
> Discussion, pros/cons?
> 
> Thanks
> -Jay Libove, CISSP
> libove at felines.org
> Atlanta, GA, US
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Anthony R Iano-Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  Anthony.Iano-Fletcher at nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.