This has been discussed before. It can be implemented by monitoring
the logs, and firewall rules. That said it is a denial of service
once that monitoring and locking start happening.

Here are some threads:

"How to use SSH with Failed Login attempts and locking
accounts" (though it starts with locking accounts on the MP-RAS
system it generally applies)<
unix-dev&m=115265219510067&w=2>, I think this is the same thread but
good explaination <
"Automatic blacklist of IP-addresses.">
"Blacklisting repeated login tries" <

I stuck the quoted subject line and a link to each thread. Using
the subject should make finding the thread easier if you the above
links stop working someday.

The problem with automatic locking is that you will probably block a
legitimate user out. If you are just going to block an ip for a
limited time it will annoy the legitimate user who fell within that
ip (ip of homes users are often nat'd or use dhcp). If you
permanently block the ip it is of course worse since the user can no
longer connect. If you lock the given account after some number of
failed logins you will probably lose access to the machine and have
to login through the physical console connected to the box. (a big
hassle if you box is colocated somewhere)

I run several servers on the net with ssh open to the world, and see
failed login attempts a lot. What I have generally done is ignore
it. If I see the same ip a whole lot (like several hours at a time,
over a few days, and enough that my mail is filling up, or the
machine is noticeably slowing down) I have been known to block the
offending ip completely after making sure that none of my users are
likely to come from that ip. In general I limit ssh logins only to
users who need them and do require secure passwords. I encourage all
users to use secure passwords for all their accounts. Finally on one
box I got tired of all the junk in my logs so I did move ssh to
listen on another port, be aware this does not make the machine any
more secure (security through obscurity does not work. Go find and
read " The Inevitability of Failure: The Flawed Assumption of
Security in Modern Computing Environments" and related articles).

Hopefully this will help end discussions on locking accounts due to
a failed login, failed password, or too many failed attempts from a
given ip.


On Nov 14, 2006, at 12:19 , Mark Burton wrote:
> Hi,
> When people try and break into my system from the internet I get lots
> of messages like:
> Nov 14 19:08:13 rook sshd[6333]: Failed password for invalid user
> guest from port 40811 ssh2
> Nov 14 19:08:19 rook sshd[6338]: Invalid user admin from
> Nov 14 19:08:19 rook sshd[6338]: Failed password for invalid user
> admin from port 40920 ssh2
> Nov 14 19:08:24 rook sshd[6342]: Invalid user admin from
> Nov 14 19:08:24 rook sshd[6342]: Failed password for invalid user
> admin from port 40994 ssh2
> Nov 14 19:08:29 rook sshd[6346]: Invalid user user from
> Nov 14 19:08:29 rook sshd[6346]: Failed password for invalid user
> user from port 41070 ssh2
> Nov 14 19:08:35 rook sshd[6351]: Failed password for root from
> port 41137 ssh2
> Nov 14 19:08:40 rook sshd[6355]: Failed password for root from
> port 41204 ssh2
> Nov 14 19:08:45 rook sshd[6359]: Failed password for root from
> port 41279 ssh2
> It would be good if sshd could detect such break in attempts and
> simply not accept the connections. I can imagine having a simple
> mechanism that counts the number of login attempts from a given IP
> address and if so many are attempted in a short time period, that IP
> address is blacklisted for a while.
> Is something like that possible?
> Thanks,
> Mark

openssh-unix-dev mailing list