I think you misunderstood how my suggesting differs from Kevin's. I wish I had more time and I would just write the patch myself... here's the idea... sample sshd.conf # enable bad IP penalty box penalty_box = yes # 3 bad attempts within 60 seconds places the offending IP address # in a penalty box penalty_attempts = 3 penalty_window = 60 # login delay for IP address in penalty box (in seconds) penalty_delay = 30 # how long an IP address stays in the penalty box (in minutes) # the timer would be reset every time there is an invalid attempt. # a value of 0 means the IP address stays in the penalty box permanently # until a valid login is supplied. valid logins would always remove an # IP address from the penalty box penalty_timeout = 5 # add an extra 5 seconds to the penalty_delay for each subsequent # invalid login penalty_delay_perturb = 5 I've never looked at the source, but I can't imagine this being much more difficult that a simple structure and a linked-list. Bryan On Thu, 2008-07-10 at 19:16 +0000, Sergio Castro wrote: > I'm sorry Bryan, this thread is getting confusing. > What do I mean about what? > > -----Mensaje original----- > De: Bryan Christ [mailto:bryan.christ@xxxxxx] > Enviado el: Jueves, 10 de Julio de 2008 02:17 p.m. > Para: Sergio Castro > Asunto: RE: Deliberately create slow SSH response? > > What do you mean? > > On Thu, 2008-07-10 at 19:12 +0000, Sergio Castro wrote: > > So there you go, then IP filtering is not an option. > > > > -----Mensaje original----- > > De: Bryan Christ [mailto:bryan.christ@xxxxxx] Enviado el: Jueves, 10 > > de Julio de 2008 02:10 p.m. > > Para: Sergio Castro > > CC: 'Zembower, Kevin'; secureshell@xxxxxxxxxxxxxxxxx > > Asunto: RE: Deliberately create slow SSH response? > > > > Unfortunately, I never know exactly where I'll be logging in from and > > maintaining a blacklist/whitelist is tiresome. As for moving the port > > (another suggestion I saw) that's not really a possibility for me > > either because some of the remote locations I shell in from don't > > allow traffic out non-standard ports. > > > > On Thu, 2008-07-10 at 18:54 +0000, Sergio Castro wrote: > > > Indeed, I agree. > > > The point I'm trying to convey is that if the objective is to reduce > > > the chance of an attack getting through, and given the fact that the > > > service is SSH, then a better solution may be to limit access to > > > trusted > > IPs. > > > That's all I'm saying :) > > > > > > -----Mensaje original----- > > > De: Bryan Christ [mailto:bryan.christ@xxxxxx] Enviado el: Jueves, 10 > > > de Julio de 2008 01:51 p.m. > > > Para: Sergio Castro > > > CC: 'Zembower, Kevin'; secureshell@xxxxxxxxxxxxxxxxx > > > Asunto: RE: Deliberately create slow SSH response? > > > > > > Sergio, > > > > > > I think Kevin and I realize that dictionary attacks are automated, > > > but a 30-60 second delay would significantly slow them down to the > > > point where it could hardly be called a brute force attack. > > > > > > On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote: > > > > The brute force attacks are most likely automated, so if your > > > > objective is to bore a human to death with 30 second delays, it wont' > > > work. > > > > > > > > Have you thought about limiting access to the service to only > > > > certain > > IPs? > > > > > > > > - Sergio > > > > > > > > -----Mensaje original----- > > > > De: listbounce@xxxxxxxxxxxxxxxxx > > > > [mailto:listbounce@xxxxxxxxxxxxxxxxx] > > > > En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de > > > > 2008 11:56 a.m. > > > > Para: secureshell@xxxxxxxxxxxxxxxxx > > > > Asunto: Deliberately create slow SSH response? > > > > > > > > This might seem like a strange question to ask, but is there a way > > > > to deliberately create a slow response to an SSH request? I'm > > > > annoyed at the large number of distributed SSH brute-force attacks > > > > on a server I administer, trying to guess the password for 'root' > > > > and > > other accounts. > > > > I think that my server is pretty secure; doesn't allow root to log > > > > in through SSH, only a restricted number of accounts are allowed > > > > SSH access, with I think pretty good passwords. But still, the > > > > attempts annoy > > > me. > > > > > > > > I wouldn't mind if SSH took say 30 seconds to ask me for my password. > > > > This would slow the attempts. Is there any way to configure > > > > OpenSSH to do this? I searched the archives of this group with > > > > 'slow' and > > 'delay' > > > > but didn't come up with anything on this topic. Please point it > > > > out to me if I overlooked anything. In addition, I can limit the > > > > number of SSH connections to 3-5 and still operate okay. > > > > > > > > Ultimately, I need this solution for hosts running OpenSSH_3.9p1 > > > > under RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and > > > > Fedora > > Core 6. > > > > > > > > Thanks in advance for your advice and suggestions. > > > > > > > > -Kevin > > > > > > > > Kevin Zembower > > > > Internet Services Group manager > > > > Center for Communication Programs > > > > Bloomberg School of Public Health > > > > Johns Hopkins University > > > > 111 Market Place, Suite 310 > > > > Baltimore, Maryland 21202 > > > > 410-659-6139 > > > > > > > > > > > > __________ NOD32 3255 (20080709) Information __________ > > > > > > > > This message was checked by NOD32 antivirus system. > > > > http://www.eset.com > > > > > > > > > > > > > > > > > __________ NOD32 3257 (20080710) Information __________ > > > > > > This message was checked by NOD32 antivirus system. > > > http://www.eset.com > > > > > > > > > > > > __________ NOD32 3257 (20080710) Information __________ > > > > This message was checked by NOD32 antivirus system. > > http://www.eset.com > > > > > > > __________ NOD32 3257 (20080710) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > >
