sshd exponential backoff patch
bob at proulx.com
Tue Jan 27 03:32:43 EST 2009
Sam Watkins wrote:
> I wrote a patch to openssh sshd.c which enables "exponential backoff",
> so that an attacker cannot brute force your password by making hundreds
> of login attempts.
I read "hundreds of login attempts" in order to brute force a
password. But it actually takes orders of magnitudes more to brute
force attack a password. This is okay. You really do want the best
attack available to be a brute force attack. The present safeguards
will prevent the attack from succeeding before the end of time.
Avoiding passwords entirely and using rsa pub keys instead also avoids
the issue. That is a good security measure.
I think it would be an interesting whitehat project to build an attack
program against ssh using a password guesser. Then people who fear
that ssh passwords can be guessed too easily can play with it and be
assured that a successful brute force attack against ssh by password
guessing is actually quite difficult.
The advantage of your patch over an external process such as fail2ban
is that fail2ban is quite large and hard to use on smaller systems due
to resource constraints.
A disadvantage of your patch is that I think exponential backoff
creates too long of delays. A non-exponential backoff seems more
desirable to me than an exponential backoff.
More information about the openssh-unix-dev