sshd exponential backoff patch
Sam Watkins
swatkins at fastmail.fm
Fri Jan 23 20:05:33 EST 2009
hi,
I wrote a patch to openssh sshd.c which enables "exponential backoff",
so that an attacker cannot brute force your password by making hundreds
of login attempts.
here is the code:
http://sam.nipl.net/sshd-backoff/
An attacker who fails to login is locked out (by IP address) for 1
minute, and the lockout period doubles for each failed login after that.
Normally three logins are allowed before an ssh connection is
terminated.
This patch is "beta" software and might lock you out of your sshd, so be
careful and make sure you are prepared for that.
You can "test" the patch by attempting to break in to this server,
nipl.net ssh is running on port 22
The patch creates and uses a db-4 database in /var/lib/ssh/backoff.db
I think my code is written carefully, but it might have some bugs. Also
I think this problem might be better solved outside of sshd (maybe in
pam). I'd be very grateful for any constructive feedback.
Thanks!
Sam
( I wrote a similar hack in shell-script a while ago, to prevent
pppd running up a huge phone bill in that case that a dialup
connection fails. )
More information about the openssh-unix-dev
mailing list