Feature request: FAIL_DELAY-support for sshd
Gert Doering
gert at greenie.muc.de
Thu Feb 3 04:08:58 EST 2005
Hi,
On Wed, Feb 02, 2005 at 05:59:42PM +0100, Bjoern Voigt wrote:
> But, how you deal with the following situation: Two users (a "good" user
> and a "bad" user) are behind a firewall with one public IP. Now the
> "bad" user tries 3 wrong passwords. After that, the "good" user can not
> connect to his host (denial-of-service attack).
True. There is no way to perfectly solve this - but then, NAT is evil,
and whoever uses it to hide multiple machines behind a single IP deserves
all the disadvantages.
Besides the political statement, in our environment this is really not
a serious issue. Most SSH logins that we have come from colleagues that
at home, but are "on call" in case something breaks in the internal
network. They dial-in over some sort of DSL provider, and if they
really happen to get their IP blocked due to bad passwords, they can
just disconnect, get a new dynamic IP assigned, and try again - or they
can call another colleague who has a static-no-NAT-IP and can ssh in
to remove the block.
The "good" logins are not "joe random from the street can do this",
and the "bad" logins are fairly infrequent (we see about 2-5 machines
doing SSH account scans per day, mostly from IPs located on different
continents), so the chance that someone is accidently locked out is
fairly low.
In the end it's always the same decision - "convenience" vs. "security"...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list