idea against hacks - help to IDS of a new generation

[Kaleta Stanley]

Hi,

i just subscribed and created new email account only for this purpose,
to send you an idea (or 2).
;)


the problem:

i have full logs of intrussions from some automats trying dictionary 
passwords for other dictionary logins.

the status:

these are some "actions" during client-server handshaking:
1. client connects
2. client waits for server feedback
3. server responds
4. client sends a login (or keys handshake ...)
5. server accepts the connection and sends back the confirmation
6. communication

question I.:
what about to add some "delay" as '-' option[s] to sshd
that will wait/sleep some nans/tens of seconds between some of these 
handshakes
?


i think it would not be problem to update all the client SW's
to accept this option...


but in between,
some CPU could be used for IDS SW's to indetify the intrussion.
to put some iptables -I ... for instance...


(i have some own simple IDS and i'm really missing such "delay" and CPU 
to make an action...)


i use login password identification mostly,
and i have no problem to wait (if keys) 2-5 seconds for 
authentification...
... but intrussion SW's don't wait - they just try ...


question II.:
another possibility ;)
what about to add "optional action" as parameter of sshd
(could be used for IDS' )
in case of intrussion detection (anyway logged to syslog)
to run some rule based "anything"
?



br
Stanley