sshd exponential backoff patch

Martin Schröder martin at
Mon Jan 26 02:41:49 EST 2009

2009/1/25 Sam Watkins <swatkins at>:
>> > I think this problem might be better solved outside of sshd
>> I agree. For example by using the firewall.
> I think the problem with running "tail" on the logs or whatever and then
> feeding that data to the firewall is that an attacker would have time
> for probably a couple hundred attacks before that system would notice
> what's going on. or maybe there's a better way to do that which I don't
> know about. Also it would be non standard and complicated to configure
> it.

It's trivial on OpenBSD (where it can be done by the firewall) and on
Linux (e.g. install fail2ban). Since the OpenSSH devs also develope
OpenBSD, the chances of getting what you wish into OpenSSH are close
to nil (i.e. you have to convice Theo).

And of course you should use keys instead of passwords.


More information about the openssh-unix-dev mailing list