Seeking advice for implementing a configurable login-delay option
Chris Rapier
rapier at psc.edu
Tue Feb 24 02:33:27 AEDT 2026
You may wan to take a look at fail2ban. https://github.com/fail2ban/fail2ban
"Fail2Ban scans log files like /var/log/auth.log and bans IP addresses
conducting too many failed login attempts. It does this by updating
system firewall rules to reject new connections from those IP addresses,
for a configurable amount of time. Fail2Ban comes out-of-the-box ready
to read many standard log files, such as those for sshd and Apache, and
is easily configured to read any log file of your choosing, for any
error you wish."
While it doesn't impose additionally delay after failed attempts it will
simply block the source IP from trying new attempts after a defined
number of failures. We use it extensively where I work.
On 2/22/2026 02:04, Mehran Hashemi wrote:
>
> Hi everyone.
>
> I’m currently seeking advice to implement a login delay mechanism for
> login. This mechanism simply introduces a delay, which is configurable
> by the user, between login attempts, and helps to protect the device
> against malicious login connections such as dictionary attacks and DoS
> attacks.
>
> I am aware of the recently added `PerSourcePenalties`, but I think this
> mechanism is more suitable for dictionary attacks rather than DoS
> attacks because the attacker can use IP spoofing to bypass this option
> and continue password guessing.
>
> I will be happy to receive your recommendations and suggestions, whether
> this option could be useful or not, and how it would be good to be
> implemented.
>
> Thank you in advance.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list