Hello!

As the title says i wish to add a delay between between inputting a password and getting confirmation/denial but inly when logging in through SSH.
This to slow down any bruteforce attacks.
I guess it's possible, but is it doable by myself... I have recently started my explorations of Linux!

It's a Ubuntu 8.04 server... no graphical interfaces, only terminal!

//Stefan

Hello!

As the title says i wish to add a delay between between inputting a password and getting confirmation/denial but inly when logging in through SSH.
This to slow down any bruteforce attacks.

I'd not bother taking any action myself as a brute force attempt against a good password is totally futile.

However, many people stop such probes in their tracks by using denyhosts. In any case, sshd doesn't provide the easy delay configuration you inquire about.

Hello!

As the title says i wish to add a delay between between inputting a password and getting confirmation/denial but inly when logging in through SSH.
This to slow down any bruteforce attacks.
I guess it's possible, but is it doable by myself... I have recently started my explorations of Linux!

It's a Ubuntu 8.04 server... no graphical interfaces, only terminal!

//Stefan

There are many things you can do including applications such as fail2ban or denyhosts.

personally I just add a "simple" rule to iptables -> after so many attempts an ip is blocked for so many minutes.

+ use ssh keys and disable password authentication altogether.

OK thank you!

//Stefan

You might consider changing the default port (22) to something else.
I had a rash of attempts to logon to my systems and moved the port number up to an address above the standard addresses. See /etc/services for the standard assignments.

To accomplish the move.. edit /etc/ssh/sshd_config and change the line
for ports. Restart sshd to put the new port # into service.

Never tried myself, but I think you can set the delay in the /etc/pam.d/sshd file:
auth optional pam_faildelay.so delay=10000000 #=10 seconds

auth optional pam_faildelay.so delay=10000000 #=10 seconds



That works but another connection can always be opened, so whether it would slow down probes would depend on how they are conducted and how sshd is configured.

If you're going to be logging in only from machines that are trustworthy and actually trusted (your own laptop, for instance) you may consider only allowing connections via keys. This way an attacker will automatically be denied access if she does not have the proper key.

Check out this wiki page (https://help.ubuntu.com/community/SSH/OpenSSH/Keys) for more on how to set up key based access.

If you're going to be logging in only from machines that are trustworthy and actually trusted (your own laptop, for instance) you may consider only allowing connections via keys. This way an attacker will automatically be denied access if she does not have the proper key.

Check out this wiki page (https://help.ubuntu.com/community/SSH/OpenSSH/Keys) for more on how to set up key based access.

Keys are portable. Put putty + keys on a flash drive.

Also, as you know, you need to then disable password authentication.

Keys are portable. Put putty + keys on a flash drive.
I know. But that doesn't mean you should put your private key onto every machine you find, that's why I suggested trustworthy and trusted machines. If you think you can trust your school's computers then go ahead. Just don't try and use your key on a machine in an internet cafe.

EDIT: And yes, I forgot to mention that in order for this to help get rid of pesky bruteforcers you need to disable password authentication. Sorry :)