Recently I grew tired of the repeated ssh brute-force scanning bots so I
implemented a blocking algorithm in our version of OpenSSH. My goal was
to find an algorithm which could block most of the brute-force attempts
while being simple to implement and not rely on any external software.
The algorithm I came up with is that login attempts are blocked if there
has been X failed, and no successful, login attempts from the same
address during the last Y seconds. A blocked login counts as a failed
login.
The value X controls how many real shots at guessing a password the bot
gets so we want to keep it small. At the same time we need to allow
users to miss-type their passwords, so it can not be too low. I have
settled on a value of 3. The bots typically make one attempt every few
second so the value of Y can be pretty low, 20-30 seconds should work
just fine in todays environment.
Looking at my logs for the last three months I see that this algorithm
would have blocked approximately 98.5% of all bot-attempts.
My question now is if the OpenSSH developers are interested in an
implementation of this? Or would I waste my time if I ported it to
standard OpenSSH?
/MaF
--
Martin Forssen <maf at appgate.com> Development Manager
Phone: +46 31 7744361 AppGate Network Security AB
