hi, a couple of years ago I submit an idea like yours ! My idea was that ssh server waits up to ...say 2^N seconds between failed logins to show again the login prompt, being N the Nth try ! So the first login cames instantly. After a failed login I have to wait 2 seconds, after a second failed login I have to wait 4s......8s.......16s........32s........2^N seconds ! This will not disturb a normal human login with a couple failures but makes a robot to wait with a potential law. I dont know why but mi idea didnt like anybody Cheers ! 2011/3/30 nagygabor88 <nagygabor88@xxxxxxxx>: > I'm writing here, because the ssh dev list says: > > Mail Delivery Status Notification (Delay) > [Status: Error, Address: <openssh-unix-dev@xxxxxxxxxxx>, ResponseCode 451, Temporary failure, please try again later.] > > So: > > What is you're opinion about the next idea? Please write down ++/-- thoughts: > > it's against brute-force attacks on sshd: > > if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare. > the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds > the method musn't show that the user have to wait 2 seconds to write his passphare. > > important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second! > > effect: > > in this way, if a brute force "robot" comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok. > BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the "type you're password" appear on client side. > > if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective. > > so can this be a feature in sshd? :O > > What do you think? > > Thank you! > >
