Re: SSH Failed password delay
From: Walter Mautner (mynews.20.eatallspam_at_spamgourmet.com)
Date: Thu, 14 Oct 2004 21:07:41 +0200
Frank de Bot wrote:
> Occasionaly I see failed password for ssh in the syslog. This somewhat
> bothers me, because some of my users are using weak passwords (And
> refuse to use good ones :-/) I've looked for methods to firewall those
> who try to login and fail to for xx times. The only usable solution this
Well, lusers who fail to remember their password or who didn't write it on a
post-it at the bottom of their keyboard, are better then these who never
complain because of the post-it or a password as simple as the name of
> way was to analyze the auth log and firewall the IP's, but when this is
> done hackers had all the time to break in. Another solution I had in my
> mind, was to have a 1 second delay before ssh accepts a password to
> receive or take a second orso to "verify" the password. Brute force
> cracking a password (even a weak one) would take pretty long (long
> enough to apply the firewall method) I've search in man pages of sshd
> and in PAM to put in such a delay, but couldn't find anything.
> Can it be done to give password authentication a delay?
If you use xinetd, there is the "cps" setting (connections per second, with
delay time in between) that comes to my mind.
To block crack attacks, use a xinetd "sensor" service at the usual ssh port
instead, with a considerably large deny_time, and tell your regular users
which (different) port to use.
-- Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse detected penguin patterns on mousepad. Partition scan in progress to remove offending incompatible products. Reactivate your MS software. Linux woodpecker.homnet.at 2.6.8reiser4pkt [LinuxCounter#295241]