openssh bugs - May 2005 - [Bug 1049] Variable delay in password logins to fight dictionary attacks

http://bugzilla.mindrot.org/show_bug.cgi?id=1049

           Summary: Variable delay in password logins to fight dictionary
                    attacks
           Product: Portable OpenSSH
           Version: 3.8.1p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: heikki at indexdata.dk


I have seen many dictionary attacks on my ssh servers. I was thinking of a
simple way to slow
them down: Add a small delay to the login. Start with a half second, and double
every time a
password-based (or other) login fails from the same IP address, up to some
limit.
 
This requires keeping a small array in memory, with each IP address that has
recently failed
to log in, delay time, and a time stamp when a login from them will be allowed
again.
 
In a similar way, it should be possible to keep a time-out for each username,
again doubling it.
At a login, take the greater of the two delays.  
 
Both tables can be limited to (say) 10000 entries, and if they flow over,
discard oldest entries.
Actually, this could also be used for logins that do not try passwords, in case
someone tries to
brute-force something else... 
 
Possibly this is a well-known theory, and there is a well-known reason not to
use it. If so, I'd
like to hear about it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1049


djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From djm at mindrot.org  2005-06-03 12:13 -------
This doesn't fit well with ssh's process model and would add quite a bit
of
complexity for pretty marginal gain. On the other hand, it could easily be
implemented as a small program that watches logs and sets up firewall rules.

Please see the extended discussion on this topic on the
openssh-unix-dev at mindrot.org mailing list.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1049





------- Additional Comments From dtucker at zip.com.au  2005-06-03 12:21 -------
BTW it can also be implemented in the underlying auth systems that sshd uses, eg
LinuxPAM has pam_fail_delay.  See:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html#the-failure-delay-function
and for a way to set this in the PAM config files:
http://www.zip.com.au/~dtucker/patches/pam_faildelay.c



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.