Hmm, you raise some good points...
This could be a problem, yes.. I probably have to make this configurable in some way. Or perhaps I could add some more code so that if only the same user+password combination (or a few of them) are the problem, it doesn't penalize. This feels familiar, I think I almost started coding that before. Or it's as if I already did, but I don't see the code..
Yeah, interesting idea to ignore a "stuck" login - this would help a lot
There are probably related ideas to look at number of incorrect usernames from a given IP as well as number of wrong passwords, but things get complicated fast. Also I think the trend is going to quickly shift to distributed bruteforcing - I have already seen this a little bit where you hardly see any one IP address login, but the log files as a whole are seeing a lot of breakin attempts
Should it not only delay *incorrect* logins? ie each time you get it
wrong then you get a penalty (which increases). Getting it right would login instantly and slightly decrease the "got it wrong" penalty (or perhaps it just time ages)?
That would also make the penalty pretty pointless. Attackers would just login, wait for half a second, assume it was a failed login, disconnect and connect again.
Good point...
I guess you could mark IPs which disconnect before receiving a "password incorrect" message as being especially naughty? In fact this is probably an excellent thing to log so that those with fail2ban kind of things could trigger something if they see it? It would seem to be a high probability sign of someone bruteforcing?
Perhaps this itself is enough to justify an option to allow valid logins from an IP to proceed immediately? It doesn't help with a distributed bruteforce, but really those are so slow (per IP) that it really makes no odds if you tarpit them or not... Is this a reasonable compromise? (allow correct logins immediately, optionally unless we see really naughty behaviour of not waiting for the "incorrect" response from that IP on failed logins?)
Nice new feature anyway! Cheers
Ed W