Time to add exponential backoff for SSH interactive login failures?

Christopher Rapier rapier at psc.edu
Sat Dec 18 06:53:01 EST 2004

Jay Libove wrote:

 > 2. slow down anyone who would try to brute force (or even just run
 > through a few hundred
 > already-found-elsewhere-but-not-existing-on-my-machine user ID and
 > password combinations)

There are 86400 seconds in a day. Even with a 5 second delay that gives 
a patient intruder more than 17000 tries in one day. Admittedly, this is 
better than giving them several hundred thousand attempts per day but 
its still, in my view, not much of a deterrent. Especially given that it 
would be trivial to circumvent.

Still, this seems to be one of those 'eh, why not?' things. It might 
help and only a few lines of code. I would only suggest that the default 
for the delay to be 0.

More information about the openssh-unix-dev mailing list