sshd exponential backoff patch
Martin Schröder
martin at oneiros.de
Mon Jan 26 02:41:49 EST 2009
2009/1/25 Sam Watkins <swatkins at fastmail.fm>:
>> > I think this problem might be better solved outside of sshd
>>
>> I agree. For example by using the firewall.
>
> I think the problem with running "tail" on the logs or whatever and then
> feeding that data to the firewall is that an attacker would have time
> for probably a couple hundred attacks before that system would notice
> what's going on. or maybe there's a better way to do that which I don't
> know about. Also it would be non standard and complicated to configure
> it.
It's trivial on OpenBSD (where it can be done by the firewall) and on
Linux (e.g. install fail2ban). Since the OpenSSH devs also develope
OpenBSD, the chances of getting what you wish into OpenSSH are close
to nil (i.e. you have to convice Theo).
And of course you should use keys instead of passwords.
Best
Martin
More information about the openssh-unix-dev
mailing list