[NBLUG/talk] opensshd delay after fail

Aaron Grattafiori nite at sonic.net
Mon Oct 17 22:10:31 PDT 2005 

Intresting.. Would this behavior be the same if you tried a user account
that didn't exist? Hopefully not, otherwise you could use it to identity
users on the system by measuring the delay. 

I know that on my FreeBSD server, the password prompt never has delay,
but my gentoo linux desktop.. does. (ssh or no ssh)
Is this maybe because of how PAM works?

On my desktop, if I do: $ ssh root at localhost
i get 3 password prompts with 2-3 second delays.. then a 
Permission denied (publickey,keyboard-interactive) message.
It does the same behavior is the user exists on the system or does not.

If I was running a box that could not use SSH keys, because I wanted to
be able to access it without a key, or whatever reason... I would take
the following action I think that was already stated.

1) Change to a non-standart port for SSH (ie not 22) 
	(This COULD be seen as 'security through obsecurity' but I would
	disagree. Its not that the security of the system depends on the
	secrecy of the port. Its only to prevent 99% of all scans
	returing that you have ssh running..)
2) Force strong passwords (you should trust your users to do so...)
3) Don't allow remote root login

I know on a friends server, if you login with the incorrect IP address
more than a few times, you are automaticly added to a blocklist for ssh.

good luck, let us know if you figure out any tricks,
  -Aaron

On Mon, 2005-10-17 at 09:32 -0700, Christopher Wagner wrote:
> I don't have your answer but I was curious...
> -----
> $ ssh -l root ssh.example.com
> Password: <garbage>
> <delay 2-3 secs>
> Password: <garbage>
> <delay 2-3 secs>
> Password: <garbage>
> <delay 2-3 secs>
> root at ssh.example.com's password:
> <no delay>
> Permission denied, please try again.
> root at ssh.example.com's password:
> <no delay>
> Permission denied, please try again.
> root at ssh.example.com's password:
> <no delay>
> Permission denied, please try again.
> $
> -----
> 
> I'm rather puzzled by this behavior.  (It asks six times, with the first
> three being a different password prompt, with the delay).  Any ideas?
> 
> I'm running Debian Etch, all stock packages.
> 
> - Chris
> 
> Bob Blick wrote:
> 
> >Everybody who reads their logs sees brute force ssh login attempts, once
> >per second or more frequently.
> >
> >For highest security, having no users and disabling interactive ssh is the
> >way to go, but this is impractical.
> >
> >Some people have routed sshd through the pam modules to add a delay, but
> >pam doesn't behave the way one would like for ssh.
> >
> >Has anyone found a solution that adds a delay to sshd for failed login
> >attempts? A patch to opensshd or an alternative to opensshd?
> >
> >Thanks,
> >
> >Bob
> >
> >
> >
> >_______________________________________________
> >talk mailing list
> >talk at nblug.org
> >http://nblug.org/cgi-bin/mailman/listinfo/talk
> >  
> >
> 
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>

More information about the talk mailing list