sshd_config parameter to deal with multiple failed logins

Bob Proulx bob at proulx.com
Sun Jul 3 12:29:45 EST 2005 

Tom Crane wrote:
> Please could responders CC me since I'm not on the mailing list. 
> Does anyone know if there are plans to give sshd the ability to block
> further login attempts from a particular IP address/block after a set
> number of failed logins?

Having personally experienced being locked out of systems because of
admins that have set up such things let me say that setting up
blocking because of failed logins is a Bad Thing.  The reasons can be
simply that someone on the system with an id near yours misspells it a
lot and therefore always locks out the legitimate user.  Or it could
be that you don't like someone and so intentionally lock them out of
their accounts out of spite.  Regardless, it trivially leads to a
denial of service attack against valid users.

The usual way to handle this for people who insist upon doing
something about it is to rate limit the login attempts.  Requiring a
small number of seconds between login attempts is sufficient to
prevent brute force attacks but still allow valid users to log into
the system.

> I'm sure lots of other admins have seen their system logs full of
> attempts by hackers probing with lists of sample usernames.

Yes.  My logs are filled with those.  And my login is plain and
commonly tried in dictionary attacks so I often see it there.  But I
am not concerned by those and I don't think you should be concerned
either.  The best attack possible is a brute force attack against the
password.

I use passwords that are as unguessable as I can make them.  They are
not going to hit the password by guessing.  They may be probing at the
ssh port.  But unless a vulnerability is found in ssh they cannot get
in without a valid password.

Trying to brute force the password would take way too many years to
complete.  The real world is not like the movies where crackers find
the password character by character and know those first characters.
(And in the movies that last character still takes the same amount of
time as the first. :-)

Bob

More information about the openssh-unix-dev mailing list