[Touch-packages] [Bug 1628926] Re: Postpone login attempts if X successive attempts have failed
See https://en.wikipedia.org/wiki/Denial-of-service_attack - that's the counterargument. But whichever way, you don't have the right audience here. Tell upstream :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1628926 Title: Postpone login attempts if X successive attempts have failed Status in openssh package in Ubuntu: Won't Fix Bug description: ** This is a feature request that regards to security. ** Please add to the login method a mechanism that postpones successive login attempts if X attempts have failed. Obviously this can be further enhanced - for example: If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes. If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes. And so on... Values of X and Y should be configured by the 'root' user. Benefits: greatly reduces the risk of remotely brute-forcing the password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1628926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1628926] Re: Postpone login attempts if X successive attempts have failed
@Robie Basak (racb): OK, though having a good default values impacts greatly on the security of systems world-wide. Normal users just install a software but don't configure. This encourages hackers to attempt to hack users world-wide. If hackers knew that a good default configurations are present by default (which greatly prevents attempts of brute-forcing) to everyone, then they will probably give up before trying... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1628926 Title: Postpone login attempts if X successive attempts have failed Status in openssh package in Ubuntu: Won't Fix Bug description: ** This is a feature request that regards to security. ** Please add to the login method a mechanism that postpones successive login attempts if X attempts have failed. Obviously this can be further enhanced - for example: If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes. If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes. And so on... Values of X and Y should be configured by the 'root' user. Benefits: greatly reduces the risk of remotely brute-forcing the password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1628926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1628926] Re: Postpone login attempts if X successive attempts have failed
This is a feature request that may be addressed by upstream, but certainly won't be addressed by Ubuntu in a delta. Therefore I'm marking the "openssh (Ubuntu)" task as Won't Fix for now, because we have no plans to fix it in Ubuntu. If you'd still like this feature in the openssh package, then you'll need to convince the upstream openssh maintainers to add the feature, and then Ubuntu will in time inherit it. ** Changed in: openssh (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1628926 Title: Postpone login attempts if X successive attempts have failed Status in openssh package in Ubuntu: Won't Fix Bug description: ** This is a feature request that regards to security. ** Please add to the login method a mechanism that postpones successive login attempts if X attempts have failed. Obviously this can be further enhanced - for example: If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes. If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes. And so on... Values of X and Y should be configured by the 'root' user. Benefits: greatly reduces the risk of remotely brute-forcing the password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1628926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1628926] Re: Postpone login attempts if X successive attempts have failed
The ufw frontend to iptables has an easy 'limit' command that automates much of the tedium of installing firewall rulesets by hand. This will address specific IPs doing brute-force login attempts but distributed brute-force login attempts won't be affected. There's also a pam_faildelay(8) module that does rate-limiting of users on authentication failure. ssh specifically is far safer when password authentication is just not allowed; ssh keys are not useful to brute-force. Set "PasswordAuthentication no" in /etc/ssh/sshd_config. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1628926 Title: Postpone login attempts if X successive attempts have failed Status in openssh package in Ubuntu: Incomplete Bug description: ** This is a feature request that regards to security. ** Please add to the login method a mechanism that postpones successive login attempts if X attempts have failed. Obviously this can be further enhanced - for example: If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes. If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes. And so on... Values of X and Y should be configured by the 'root' user. Benefits: greatly reduces the risk of remotely brute-forcing the password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1628926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1628926] Re: Postpone login attempts if X successive attempts have failed
Hi, those two cover pretty much what you want to achieve I think: https://ubuntuforums.org/showthread.php?t=1409993 https://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/ ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1628926 Title: Postpone login attempts if X successive attempts have failed Status in openssh package in Ubuntu: Incomplete Bug description: ** This is a feature request that regards to security. ** Please add to the login method a mechanism that postpones successive login attempts if X attempts have failed. Obviously this can be further enhanced - for example: If X successive login attempts failed, then disable that specific login method for that specific user for Y minutes. If Y minutes have passed and the additional successive attempts failed again - then disable that specific login method for that specific user for 2*Y minutes. And so on... Values of X and Y should be configured by the 'root' user. Benefits: greatly reduces the risk of remotely brute-forcing the password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1628926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp