Feature request: FAIL_DELAY-support for sshd

Bjoern Voigt bjoern at cs.tu-berlin.de
Wed Feb 2 06:33:23 EST 2005 

Hello!

My Linux-server is every day attacked with brute-force password cracking 
attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM, 
LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking 
attempts with very short delays (1 second):

Jan 31 00:46:53 XXX sshd[10774]: Invalid user backup from 
::ffff:66.98.176.50
Jan 31 00:46:54 XXX sshd[10776]: Invalid user server from 
::ffff:66.98.176.50
Jan 31 00:46:55 XXX sshd[10778]: Invalid user adam from ::ffff:66.98.176.50
..
I want to slow down this attacks with a login delay for failed logins. I 
tried FAIL_DELAY (in /etc/login.defs) for this, but unfortunately 
openssh has no support for this and ignores it.

I searched this day in the net for solutions and tried some things in 
the source code. This are my experiences:

1) Very much people ask for a FAIL_DELAY-feature (Source: Google, 
Newsgroups, Mailinglists, ...)
2) The work-arounds are not perfect:
    a) Some people suggests using /lib/security/pam_tally.so (this 
PAM-module denies access to accounts after too many login failures). 
Unfortunately this module can result in denial-of-service.
    b) MaxStartups-Option in /etc/ssh/sshd_config. This drops new 
connections if there are too many unauthorized login attempts. It may 
help a bit against cracking attempts, but it doesn't use delays. Because 
OpenSSH checks the usernames before PAM-authentication, this feature 
will not help against testing usernames.

I played a bit with OpenSSH's source code to enable a FAIL_DELAY:

In auth-pam.c: sshpam_thread I inserted

    pam_fail_delay(sshpam_handle, 10000000 /* micro-seconds */ );

before

    sshpam_err = pam_authenticate(sshpam_handle, flags);

This results in a 10 seconds delay after an login attempt with an 
existing user, but a wrong password.

Unfortunately this introduces new problems, because an attacker can now 
see, if the user exists or not:

Case 1: existing username, but wrong passwords
$ ssh  existing-user at localhost
Password:
(10 sec delay)
Password:
(10 sec delay)
Password:
(10 sec delay)
Permission denied (publickey,keyboard-interactive).

Case 2: non-existing username
$ ssh -p 112 non-existing-user at localhost
Password:
(no delay)
Password:
(no delay)
Password:
(no delay)
Permission denied (publickey,keyboard-interactive).

The problem is, that OpenSSH checks the username without PAM, so that 
pam_fail_delay() has no effect, if the username is wrong.

Could someone help here? I think, the FAIL_DELAY feature is very 
important for better security and many users wish it and will use it.

Regards, Björn

More information about the openssh-unix-dev mailing list