Feature request: FAIL_DELAY-support for sshd
Darren Tucker
dtucker at zip.com.au
Wed Feb 2 10:07:28 EST 2005
Bjoern Voigt wrote:
> My Linux-server is every day attacked with brute-force password cracking
> attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM,
> LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking
> attempts with very short delays (1 second):
[...]
> I want to slow down this attacks with a login delay for failed logins. I
> tried FAIL_DELAY (in /etc/login.defs) for this, but unfortunately
> openssh has no support for this and ignores it.
3.9p1 should insert a delay on fail if PAM is configured to do so (it
does on my RH9 box) for password authentication. -current fixes that
for keyboard-interactive too.
None of this is going to make any difference for your situation, though.
Notice that the pids for each attempt are different? Even if each sshd
delays it's not going to slow down an attacker much if at all since the
requests are effectively pipelined. It would mean that the resources
for each connection are tied up on your server for longer.
What would help is restricting the rate of connections permitted from
each source. (Such a feature was recently added to OpenBSD's pf, and
may exist in other filters.)
> 1) Very much people ask for a FAIL_DELAY-feature (Source: Google,
> Newsgroups, Mailinglists, ...)
> 2) The work-arounds are not perfect:
> a) Some people suggests using /lib/security/pam_tally.so (this
> PAM-module denies access to accounts after too many login failures).
> Unfortunately this module can result in denial-of-service.
There's also a module to blacklist the source of such connections
(although I've not used it):
http://www.hexten.net/sw/pam_abl/index.mhtml
> Case 1: existing username, but wrong passwords
> $ ssh existing-user at localhost
Please try repeating this test with either:
- "PasswordAuthentication yes" and "ChallengeResponseAuthentication
no" in sshd_config
- a current development snapshot from
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list