Feature request: FAIL_DELAY-support for sshd
Sergio Gelato
Sergio.Gelato at astro.su.se
Thu Feb 3 01:41:44 EST 2005
* Darren Tucker [2005-02-02 10:07:28 +1100]:
> What would help is restricting the rate of connections permitted from
> each source. (Such a feature was recently added to OpenBSD's pf, and
> may exist in other filters.)
Would it really? My experience with these scans is that they don't make
much more than a hundred or so attempts on each server. At one attempt
per second, they're often long over by the time I review the logs. Merely
slowing them down is not going to decrease the total number of attempts,
I would think.
What I would find more useful is a more configurable policy as to what
authentications are acceptable from various sources. One may want to
only allow one-time passwords from untrusted IPs, for example. But since
I don't have code (nor even a particularly elegant design) to contribute
for this, I won't press the idea.
My current strategy for those scans is to blacklist the originating network
after the fact, unless it also has a history of being used for legitimate
accesses (which turns out to be rare for us).
More information about the openssh-unix-dev
mailing list