sshd exponential backoff patch

Sam Watkins swatkins at
Fri Jan 23 20:05:33 EST 2009


I wrote a patch to openssh sshd.c which enables "exponential backoff",
so that an attacker cannot brute force your password by making hundreds
of login attempts.

here is the code:

An attacker who fails to login is locked out (by IP address) for 1
minute, and the lockout period doubles for each failed login after that.
Normally three logins are allowed before an ssh connection is

This patch is "beta" software and might lock you out of your sshd, so be
careful and make sure you are prepared for that.

You can "test" the patch by attempting to break in to this server, ssh is running on port 22

The patch creates and uses a db-4 database in /var/lib/ssh/backoff.db

I think my code is written carefully, but it might have some bugs. Also
I think this problem might be better solved outside of sshd (maybe in
pam). I'd be very grateful for any constructive feedback.



( I wrote a similar hack in shell-script a while ago, to prevent
pppd running up a huge phone bill in that case that a dialup
connection fails. )

More information about the openssh-unix-dev mailing list