Time to add exponential backoff for SSH interactive login failures?
rapier at psc.edu
Sat Dec 18 06:53:01 EST 2004
Jay Libove wrote:
> 2. slow down anyone who would try to brute force (or even just run
> through a few hundred
> already-found-elsewhere-but-not-existing-on-my-machine user ID and
> password combinations)
There are 86400 seconds in a day. Even with a 5 second delay that gives
a patient intruder more than 17000 tries in one day. Admittedly, this is
better than giving them several hundred thousand attempts per day but
its still, in my view, not much of a deterrent. Especially given that it
would be trivial to circumvent.
Still, this seems to be one of those 'eh, why not?' things. It might
help and only a few lines of code. I would only suggest that the default
for the delay to be 0.
More information about the openssh-unix-dev