sshd exponential backoff patch

Robert Banz rob at nofocus.org
Sat Jan 24 03:32:20 EST 2009


Hey Sam,

This is a really nice idea. However, I'm not so hot on making a core  
utility such as OpenSSH reliant on a library that isn't by default  
available on most platforms.

-rob

On Jan 23, 2009, at 1:05 AM, Sam Watkins wrote:

> hi,
>
> I wrote a patch to openssh sshd.c which enables "exponential backoff",
> so that an attacker cannot brute force your password by making  
> hundreds
> of login attempts.
>
> here is the code:
>
>  http://sam.nipl.net/sshd-backoff/
>
> An attacker who fails to login is locked out (by IP address) for 1
> minute, and the lockout period doubles for each failed login after  
> that.
> Normally three logins are allowed before an ssh connection is
> terminated.
>
> This patch is "beta" software and might lock you out of your sshd,  
> so be
> careful and make sure you are prepared for that.
>
> You can "test" the patch by attempting to break in to this server,
> nipl.net ssh is running on port 22
>
> The patch creates and uses a db-4 database in /var/lib/ssh/backoff.db
>
> I think my code is written carefully, but it might have some bugs.  
> Also
> I think this problem might be better solved outside of sshd (maybe in
> pam). I'd be very grateful for any constructive feedback.
>
> Thanks!
>
> Sam
>
>
> ( I wrote a similar hack in shell-script a while ago, to prevent
> pppd running up a huge phone bill in that case that a dialup
> connection fails. )
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list