openssh-5.1p1+debian+backoff.diff

This is a patch to openssh sshd.c which enables "exponential backoff",
so that an attacker cannot brute force your password by making hundreds
of login attempts.

An attacker who fails to login is locked out (by IP address) for 5 seconds,
and the lockout period doubles for each failed login after that.
Normally three logins are allowed before an ssh connection is
terminated.

This patch is "beta" software and might lock you out of your sshd, so be
careful and make sure you are prepared for that.

You can "test" the patch by attempting to break in to my server
nipl.net, ssh is running on port 22.

The patch creates and uses a db-4 database in /var/lib/ssh/backoff.db

I think my code is written carefully, but it might have some bugs. Also
I think this problem might be better solved outside of sshd (maybe in
pam). I'd be very grateful for any constructive feedback.

Thanks!

Sam Watkins
swatkins@fastmail.fm
Fri, 23 Jan 2009 16:41:19 +0800