[Bug 1628926] Re: Postpone login attempts if X successive attempts have failed
Seth Arnold
1628926 at bugs.launchpad.net
Fri Sep 30 19:16:46 UTC 2016
The ufw frontend to iptables has an easy 'limit' command that automates
much of the tedium of installing firewall rulesets by hand. This will
address specific IPs doing brute-force login attempts but distributed
brute-force login attempts won't be affected.
There's also a pam_faildelay(8) module that does rate-limiting of users
on authentication failure.
ssh specifically is far safer when password authentication is just not
allowed; ssh keys are not useful to brute-force. Set
"PasswordAuthentication no" in /etc/ssh/sshd_config.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1628926
Title:
Postpone login attempts if X successive attempts have failed
Status in openssh package in Ubuntu:
Incomplete
Bug description:
** This is a feature request that regards to security. **
Please add to the login method a mechanism that postpones successive
login attempts if X attempts have failed.
Obviously this can be further enhanced - for example:
If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes.
If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes.
And so on...
Values of X and Y should be configured by the 'root' user.
Benefits: greatly reduces the risk of remotely brute-forcing the
password.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1628926/+subscriptions
More information about the foundations-bugs
mailing list