Blocking the password-guessing bots

maf at maf at
Fri Sep 9 02:08:49 EST 2005

Recently I grew tired of the repeated ssh brute-force scanning bots so I
implemented a blocking algorithm in our version of OpenSSH. My goal was
to find an algorithm which could block most of the brute-force attempts
while being simple to implement and not rely on any external software.

The algorithm I came up with is that login attempts are blocked if there
has been X failed, and no successful, login attempts from the same
address during the last Y seconds. A blocked login counts as a failed

The value X controls how many real shots at guessing a password the bot
gets so we want to keep it small. At the same time we need to allow
users to miss-type their passwords, so it can not be too low. I have
settled on a value of 3. The bots typically make one attempt every few
second so the value of Y can be pretty low, 20-30 seconds should work
just fine in todays environment.

Looking at my logs for the last three months I see that this algorithm
would have blocked approximately 98.5% of all bot-attempts.

My question now is if the OpenSSH developers are interested in an
implementation of this? Or would I waste my time if I ported it to
standard OpenSSH?

Martin Forssen <maf at>              Development Manager
Phone: +46 31 7744361                         AppGate Network Security AB

More information about the openssh-unix-dev mailing list