Ubuntu
openssh package

Postpone login attempts if X successive attempts have failed

Bug #1628926 reported by johnmne on 2016-09-29

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssh (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

** This is a feature request that regards to security. **

Please add to the login method a mechanism that postpones successive login attempts if X attempts have failed.

Obviously this can be further enhanced - for example:
If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes.
If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes.
And so on...

Values of X and Y should be configured by the 'root' user.

Benefits: greatly reduces the risk of remotely brute-forcing the password.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2016-09-30:

#1

Hi,
those two cover pretty much what you want to achieve I think:
https://ubuntuforums.org/showthread.php?t=1409993
https://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/

Changed in openssh (Ubuntu):
status:	New → Incomplete

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-09-30:

#2

The ufw frontend to iptables has an easy 'limit' command that automates much of the tedium of installing firewall rulesets by hand. This will address specific IPs doing brute-force login attempts but distributed brute-force login attempts won't be affected.

There's also a pam_faildelay(8) module that does rate-limiting of users on authentication failure.

ssh specifically is far safer when password authentication is just not allowed; ssh keys are not useful to brute-force. Set "PasswordAuthentication no" in /etc/ssh/sshd_config.

Thanks

Revision history for this message

Robie Basak (racb) wrote on 2016-10-03:

#3

This is a feature request that may be addressed by upstream, but certainly won't be addressed by Ubuntu in a delta. Therefore I'm marking the "openssh (Ubuntu)" task as Won't Fix for now, because we have no plans to fix it in Ubuntu. If you'd still like this feature in the openssh package, then you'll need to convince the upstream openssh maintainers to add the feature, and then Ubuntu will in time inherit it.

Changed in openssh (Ubuntu):
status:	Incomplete → Won't Fix

Revision history for this message

johnmne (phi-reporter) wrote on 2016-10-05:

#4

@Robie Basak (racb):

OK, though having a good default values impacts greatly on the security of systems world-wide.

Normal users just install a software but don't configure.
This encourages hackers to attempt to hack users world-wide.
If hackers knew that a good default configurations are present by default (which greatly prevents attempts of brute-forcing) to everyone, then they will probably give up before trying...

Revision history for this message

Robie Basak (racb) wrote on 2016-10-05:

#5

See https://en.wikipedia.org/wiki/Denial-of-service_attack - that's the counterargument.

But whichever way, you don't have the right audience here. Tell upstream :)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.