Date: Thu, 16 Feb 2006 16:49:04 -0600 (CST) From: chris@i13i.com To: "David Malone" <dwmalone@maths.tcd.ie> Cc: yar@freebsd.org, freebsd-stable@freebsd.org, Lowell Gilbert <freebsd-stable-local@be-well.ilk.org>, Atanas <atanas@asd.aplus.net>, Rostislav Krasny <rosti.bsd@gmail.com>, Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>, "Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <mh@kernel32.de> Subject: Re: SSH login takes very long time...sometimes Message-ID: <2646.201.144.115.229.1140130144.squirrel@webmail.i13i.com> In-Reply-To: <200602162124.aa23962@salmon.maths.tcd.ie> References: Your message of "Thu, 16 Feb 2006 12:42:24 PST." <43F4E3B0.1090806@asd.aplus.net> <200602162124.aa23962@salmon.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, You should try Xinetd as it has more options to help with this. I beleive you SSH problem is due to a DNS/RDNS problem. Regards, Chris >> Just a thought, wouldn't this open a new possibility for denial of >> service attacks? > > I doubt it. I'm guessing you're thinking of an attack where someone > makes many connections to sshd in a short time and runs you out of > processes? I think you can protect against this with the MaxStartups > directive in sshd_config. The amount of time that an attacker has > to open many connections is probably not that important, as you can > open a lot of TCP connections in 1 second even with a small link. > >> Last year I already had to decrease the LoginGraceTime from 120 to 30 >> seconds on my production boxes, but it didn't help much, so on top of >> that I got to implement (reinvent the wheel again) a script tailing the >> auth.log and firewalling bad gyus in order to secure sshd and let my >> legitimate users in. > > Are you trying to prevent the ssh scanners that just try well-known > combinations of usernames and passwords? It is not clear that you > gain much by firewalling these off, other than having fewer log > messages. > >> I really miss the inetd features. A setting like "nowait/100/20/5" >> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) >> would effectively bounce the bad guys, but AFAIK (correct me if I'm >> wrong), ssh is no longer supposed to work via inetd and still has no >> such capabilities. > > You can still run sshd through inetd (or, at least, the -i option > is still documented in the sshd man page). If does suggest that you > may need to reduce the key size to make this practical (increasing > LoginGraceTime here may help too ;-) > > David. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2646.201.144.115.229.1140130144.squirrel>