When hardening SSH server security, introducing intentional delays after failed login attempts serves multiple purposes:
- Slows down brute-force attacks by making rapid password guessing impractical
- Reduces server load during authentication storms
- Provides time for intrusion detection systems to trigger
- Follows the security principle of "fail securely" with graceful degradation
While sshd_config doesn't include a direct delay parameter, we can implement this through several approaches:
Method 1: PAM Configuration (Linux)
Modify /etc/pam.d/sshd to include delay mechanisms:
# Add this line after other auth rules auth required pam_faildelay.so delay=3000000
Note: The delay is specified in microseconds (3000000μs = 3 seconds)
Method 2: Rate Limiting with iptables
Combine connection rate limiting with SSH:
# Add to iptables rules iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 5 --hitcount 2 -j DROP
Method 3: Custom PAM Module
Create a simple delay module (/etc/pam.d/custom_delay):
#include#include PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { sleep(3); // 3 second delay return PAM_SUCCESS; }
For more sophisticated control, implement a progressive delay system:
# In /etc/pam.d/sshd auth required pam_exec.so /usr/local/bin/adaptive_delay.sh # adaptive_delay.sh script #!/bin/bash ATTEMPTS=$(grep "Failed password" /var/log/auth.log | wc -l) DELAY=$(( ATTEMPTS > 5 ? 5 : ATTEMPTS )) sleep $DELAY exit 0
After implementing changes:
- Restart sshd:
systemctl restart sshd - Test from another terminal:
time ssh user@localhost - Check auth logs:
tail -f /var/log/auth.log
- Balance security with usability - don't set excessive delays
- Combine with other measures like fail2ban for comprehensive protection
- Document the changes in your system security policy
- Test thoroughly in staging before production deployment
When hardening SSH server security, introducing intentional delays after failed authentication attempts is a common practice to deter brute-force attacks. The OpenSSH daemon (sshd) doesn't provide a direct configuration parameter for this specific timing control, but we can implement it through several effective methods.
The most straightforward solution leverages Linux's Pluggable Authentication Modules (PAM) system:
# Edit the PAM configuration for SSH sudo nano /etc/pam.d/sshd # Add this line at the top of the file auth optional pam_faildelay.so delay=3000000
The delay parameter is specified in microseconds (3000000μs = 3 seconds). This affects all authentication attempts through SSH.
For more granular control combining delay and banning:
# Install fail2ban if not present sudo apt install fail2ban # Configure jail.local for SSH sudo nano /etc/fail2ban/jail.local [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 findtime = 300 bantime = 3600
Then modify your PAM configuration to include both delay and fail2ban integration.
A network-level approach using /etc/hosts.deny:
# Add to /etc/hosts.deny sshd : ALL : spawn (/bin/sleep 3) & : deny
This introduces a delay at the connection level before SSH even processes the authentication attempt.
For environments where you can modify the shell:
#!/bin/bash
if [ -n "$SSH_ORIGINAL_COMMAND" ]; then
# Successful authentication
exec $SHELL -c "$SSH_ORIGINAL_COMMAND"
else
# Failed authentication
sleep 3
exec $SHELL
fi
Then set this script as the user's shell in /etc/passwd.
While implementing delays, consider:
- Performance impact on legitimate users
- Logging failed attempts for monitoring
- Combining with other security measures like key-based auth
- System resource usage during attack periods
After implementation, monitor your auth logs to adjust timing:
# Watch authentication attempts tail -f /var/log/auth.log | grep sshd
Adjust the delay values based on your specific threat model and user experience requirements.