Feature request: FAIL_DELAY-support for sshd

Thu Feb 3 03:59:19 EST 2005

Sergio Gelato <Sergio.Gelato at astro.su.se> wrote:

> * Darren Tucker [2005-02-02 10:07:28 +1100]:
> > What would help is restricting the rate of connections permitted from 
> > each source.  (Such a feature was recently added to OpenBSD's pf, and 
> > may exist in other filters.)
> 
> Would it really? My experience with these scans is that they don't make
> much more than a hundred or so attempts on each server. At one attempt
> per second, they're often long over by the time I review the logs. Merely
> slowing them down is not going to decrease the total number of attempts,
> I would think. 

This is also my experience. They try usernames/passwords 50-150 times on 
each server. With an 1-second delay this may take 50-150 seconds. 

I think, the cracking tools restrict the attacks to 50-150 attempts per 
day so that intrusion detection systems may not recognize it. 

But SSH allows much more attempts.

Look at this testing shell script:

--------------------------------------------------------------------
#! /bin/bash

startdate=`date`
# same test usernames
users=(aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at \
    au av aw ax ay az)

# count of all usernames
count=${#users[*]}
i=0
while [ $i -lt $count ]
do
	auser=${users[$i]}
	echo $auser

	# testing with ssh
	ssh $auser at localhost

	# testing with su
	#sh $auser -c echo

	let i=i+1
done
enddate=`date`

echo "Checked $count users"
echo "Starttime: $startdate"
echo "Endtime:   $enddate"
--------------------------------------------------------------------

Because SSH does not accept passwords from stdin redirections, you have
to press the RETURN-key for testing.

This is my testing result:

--------------------------------------------------------------------
SSH-Server: openssh-3.9p1
SSH-Server-Config:
  UsePAM yes
  PasswordAuthentication no
  ChallengeResponseAuthentication yes

Checked 26 users
Starttime: Mi Feb  2 17:07:34 CET 2005
Endtime:   Mi Feb  2 17:07:41 CET 2005
--------------------------------------------------------------------

I'm able to test 26 usernames in only 7 seconds! I also tested with 

SSH-Server-Config:
  UsePAM yes
  PasswordAuthentication yes
  ChallengeResponseAuthentication no

But the result was nearly the same. 

In theory I could test 24*3600*26.0/7=320914 username/password
combinations per day without parallel connections.

With "MaxStartups 10 (default)" and parallel cracking I get a 10 times
higher number: 10*24*3600*26.0/79=284354

I have compared this result with the results of with the "su"-command:

--------------------------------------------------------------------
FAIL_DELAY 3 (in /etc/login.defs)

Checked 26 users
Starttime: Mi Feb  2 17:13:21 CET 2005
Endtime:   Mi Feb  2 17:14:40 CET 2005
--------------------------------------------------------------------

With "su" testing 26 usernames takes 79 seconds. This is 10 times slower
than with ssh.

Regards, Björn