Seeking advice for implementing a configurable login-delay option

Darren Tucker dtucker at dtucker.net
Tue Feb 24 03:28:06 AEDT 2026 

On Sun, 22 Feb 2026 at 02:07, Mehran Hashemi <mehranstock1383 at gmail.com>
wrote:

> I’m currently seeking advice to implement a login delay mechanism for
> login. This mechanism simply introduces a delay, which is configurable
> by the user, between login attempts, and helps to protect the device
> against malicious login connections such as dictionary attacks and DoS
> attacks.
>

Dictionary and DoS attacks are two different things, and somewhat add odds:
things that help one will sometimes hurt the other.  For example: to
mitigate dictionary attacks you want to limit auth attempts, but doing so
may also make conducting a DoS attack easier since those limits might be
lower.

If it's plausible in your environment, turning off password-based auth
entirely ("PasswordAuthentication no" and
"KeyboardInteractiveAuthentication no" in sshd_config) will make dictionary
attacks irrelevant.


> I am aware of the recently added `PerSourcePenalties`, but I think this
> mechanism is more suitable for dictionary attacks rather than DoS
> attacks because the attacker can use IP spoofing to bypass this option
> and continue password guessing.
>

What do you mean by "IP spoofing"?  I would be very surprised if it was
possible to get past an SSH KEX without seeing the responses, even if you
did manage to spoof a TCP connection.

If you mean "use another address on the network it's on" then yes that
would be possible, however it's not IP spoofing as such, and it's
what PerSourceNetBlockSize is for: eg setting it to "24:48" would make it
consider all addresses in the same IPv4 /24 and IPv6 /48s to be equivalent
for the purposes of PerSourceMaxStartups.


> I will be happy to receive your recommendations and suggestions, whether
> this option could be useful or not, and how it would be good to be
> implemented.
>

If your system uses PAM you can use pam_faildelay[0] to enforce a delay
between attempts, however that only applies within the same PAM auth
session, so you also need MaxStartups or PerSourceMaxStartups to prevent an
attacker from just opening many connections and parallelizing their guesses
across them.

[0] https://man7.org/linux/man-pages/man8/pam_faildelay.8.html

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list