Feature request: AlwaysDenyLogin, LoginDelayTime

Richard Stoughton kyrieuon at gmail.com
Fri Dec 12 08:57:33 EST 2008


Thank you for your reply.

On Thu, Dec 11, 2008 at 12:40 AM, Jim Knoble <jmknoble at pobox.com> wrote:
> Circa 2008-12-09 18:26 dixit Richard Stoughton:
>
> : Please consider adding the following features to sshd:
> :
> : 1. AlwaysDenyLogin - a setting that will result in always denying
> : login regardless of the credentials given by the client.
>
> This capabality is already available, via several different methods:
> ...

The basic idea behind the feature request is to let easily setup
a kind of tarpit sshd in parallel to a 'normal' sshd:

 |--------------------------|
 |  ------                  |
 | |      |                 |
 | | sshd |--- Port 22 ------ <-- dumb bots
 | |      | login disabled  |
 |  ------                  |
 |                          |
 |  ------                  |
 | |      |                 |
 | | sshd |-- Port != 22 ---- <-- more intelligent clients
 | |      |                 |
 |  ------                  |
 |--------------------------|
 (needs a monospace font)

The sshd at port 22 would get the attention of dumb bots and slow them down,
while the second instance would identify more intelligent clients such as
legitimate users or not-so-dumb attackers.

>    (a) Use the 'AllowGroups' keyword in your sshd_config file, together
>        with a group containing no members.  For example, on a system
>        which has useradd/groupadd:
>
>            su
>            /usr/sbin/groupadd -g 2222 allowssh
>            cd /etc/ssh
>            cp -p sshd_config sshd_config.BACKUP
>            echo 'AllowGroups allowssh' >>sshd_config
>
>        (Of course, this method is even more useful if the 'allowssh'
>        group actually contains members who should be allowed to log in
>        via ssh...).

If denial of login via DenyUsers or AllowGroups cannot be distinguished from
an ordinarily failed login these would suffice for my point 1.

>    (b) If your OpenSSH is configured with support for TCP wrappers, use
>        /etc/hosts.allow and/or /etc/hosts.deny to configure what source
>        IP addresses may use the ssh service....
>
>    (c) If there is an ssh service where no user should be allowed to
>        log in, then consider turning off the service.

(b) and (c) would not work for my use case ;)

> ...
> : 2. LoginDelayTime - to specify a delay in milliseconds before the
> : server responds to a client's login attempt.
>
> This should be done using firewall rules, either at a network gateway or
> on the host where the ssh server is running.

Hm, configuring a firewall requires a lot more expertise than simply setting
a sshd configuration parameter. It makes things unneccessarily comlex.
And im not sure if an attacker would not be able to identify a tarpit if the
delay doesn't come from the sshd process.


More information about the openssh-unix-dev mailing list