Feature request: AlwaysDenyLogin, LoginDelayTime
Ben Lindstrom
mouring at eviladmin.org
Sat Dec 13 11:32:29 EST 2008
On Dec 12, 2008, at 5:23 PM, Richard Stoughton wrote:
> On Fri, Dec 12, 2008 at 5:02 PM, Ben Lindstrom
> <mouring at eviladmin.org> wrote:
>>
>> On Dec 11, 2008, at 3:57 PM, Richard Stoughton wrote:
>>> ...
>>> The basic idea behind the feature request is to let easily setup
>>> a kind of tarpit sshd in parallel to a 'normal' sshd:
>>>
>>
>> Why would you run OpenSSH in a tarpit mode? This seems like a
>> broken idea.
>> Tarpit software should be small and non-functional (e.g. OpenBSD's
>> spamd).
>> And OpenSSH is not. =)
>
> In general this is surely a good rule of thumb. But in the
> aforementioned scenario, where two ssh daemons would run in parallel,
> a dedicated tarpit ssh daemon would not add any additional security.
> And the absence of a running tarpit sshd of any kind would probably
> not reduce the overall system load.
<cough> The use "tarpit" and "security" in the same sentence.
Tarpitting doesn't improve security. Weak passwords are still weak.
Badly coded apps are still badly written apps. It adds no more
protection than running sshd on an alternate port.
And in fact "AlwaysDenyLogin" in OpenSSH would cost higher loads
because it should go through all the steps of authentication before
denying. Otherwise there is timing attacks that could tell the
attacker that they are being blocked. Plus remember that this will
eats a "non-authentication" connection on your real server if they are
a single deamon.
- Ben
More information about the openssh-unix-dev
mailing list