sshd exponential backoff patch

Peter Lambrechtsen plambrechtsen at
Wed Jan 28 14:28:03 EST 2009

I find a very effective way to prevent attacks (or at least slow them
down) is to run the following IPTables rule:

iptables -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m
recent --update --seconds 300 --hitcount 3 -j DROP
iptables -A INPUT -p tcp -i eth+ --dport 22 -j ACCEPT

This will mean that it will drop any third attempt to ssh into your
box for 5 mins.  Quite effective from experience. I also agree that
keys are better than passwords.  And this does pose problems if you
have automated processed that connect repeatedly to your box as any
connection is tagged by iptables, valid or not will be dropped on the
third attempt if it is within the 5 min window.

A nice and simple low tech solution IMHO ;)


On Wed, Jan 28, 2009 at 2:01 PM, Jefferson Ogata
<Jefferson.Ogata at> wrote:
> On 2009-01-28 00:59, Jefferson Ogata wrote:
>> If that were true, password guessing attacks against sshd wouldn't
>> happen all the freakin' time (q.v.).
> I should clarify: I'm really talking about dictionary attacks, not pure
> brute force.
> --
> Jefferson Ogata <Jefferson.Ogata at>
> NOAA Computer Incident Response Team (N-CIRT) <ncirt at>
> "Never try to retrieve anything from a bear."--National Park Service
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list