Bug 1049

Summary: Variable delay in password logins to fight dictionary attacks
Product: Portable OpenSSH Reporter: Heikki Levanto <heikki>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement    
Priority: P2    
Version: 3.8.1p1   
Hardware: ix86   
OS: Linux   

Description Heikki Levanto 2005-05-31 21:04:54 AEST 
I have seen many dictionary attacks on my ssh servers. I was thinking of a simple way to slow 
them down: Add a small delay to the login. Start with a half second, and double every time a 
password-based (or other) login fails from the same IP address, up to some limit. 
 
This requires keeping a small array in memory, with each IP address that has recently failed 
to log in, delay time, and a time stamp when a login from them will be allowed again. 
 
In a similar way, it should be possible to keep a time-out for each username, again doubling it. 
At a login, take the greater of the two delays.  
 
Both tables can be limited to (say) 10000 entries, and if they flow over, discard oldest entries. 
Actually, this could also be used for logins that do not try passwords, in case someone tries to 
brute-force something else... 
 
Possibly this is a well-known theory, and there is a well-known reason not to use it. If so, I'd 
like to hear about it.
Comment 1 Damien Miller 2005-06-03 12:13:02 AEST 
This doesn't fit well with ssh's process model and would add quite a bit of
complexity for pretty marginal gain. On the other hand, it could easily be
implemented as a small program that watches logs and sets up firewall rules.

Please see the extended discussion on this topic on the
openssh-unix-dev@mindrot.org mailing list.
Comment 2 Darren Tucker 2005-06-03 12:21:18 AEST 
BTW it can also be implemented in the underlying auth systems that sshd uses, eg
LinuxPAM has pam_fail_delay.  See:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html#the-failure-delay-function
and for a way to set this in the PAM config files:
http://www.zip.com.au/~dtucker/patches/pam_faildelay.c
Comment 3 Darren Tucker 2006-10-07 11:40:35 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.