Login Delay

[Paul Lussier]

"Steven W. Orr" <steveo at syslang.net> writes:

> I really don't like jumping in without knowing the correct answer, but it 
> really sounds to me like This Is A Job For PAM. This is exactly what PAM 
> was designed for. Anyone know if PAM has a module that does this? I know 
> for sure you can control the duration of the delay after the number of 
> failures causes the trigger to go off.

I was going to suggest the same thing.  Another approach would be to
wrap login with a program/script which asymtotically increased the
wait time before spawning login.  The basic algorithm would be something like:

For each IP address attempting a login:

  - Check a log file to see if a failed attempt has occurred recently
    (within some set time-frame) and note the amount of delay required
    this time in case of a failed attempt.

  - If the attempt fails:

    - Log the orinating IP address, time, amount of delay for next
      failed attempt

    - Wait some amount of time, based on delay in listed in the log-file
      before exiting

Another option already mentioned was to try running sshd on an
alternative port, though a port scan will likely discover what port
it's running on after finding *something* running on that port.

I do hope you're at least configuring sshd to only use passphrase
logins, and allow password logins.  You might also want to configure
different ssh keys with different purposes.  For example, if you need
to just check on your backups, you could have one key which only runs
a status command and exits; or if you need to start your backups,
another key would kick off the backup command and exit.  Other keys
could spawn different scripts in the background and then exit.

This would allow you do various things with your system based on the
specific key you "login" with.  The worst case scenario is that
perhaps the guess the passphrase to a key (assuming they've stolen the
private key in the first place) and start your backups for you :)

-- 

Seeya,
Paul