Date: Fri, 17 Feb 2006 02:11:41 +0200 From: Niki Denev <nike_d@cytexbg.com> To: Atanas <atanas@asd.aplus.net> Cc: freebsd-stable@freebsd.org, Lowell Gilbert <freebsd-stable-local@be-well.ilk.org>, David Malone <dwmalone@maths.tcd.ie>, Rostislav Krasny <rosti.bsd@gmail.com>, "Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <MH@kernel32.de> Subject: Re: SSH login takes very long time...sometimes Message-ID: <43F514BD.608@cytexbg.com> In-Reply-To: <43F4E3B0.1090806@asd.aplus.net> References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atanas wrote: > Dag-Erling Smørgrav said the following on 02/15/06 23:35: >> David Malone <dwmalone@maths.tcd.ie> writes: >>> I did once mail des@ to ask him if he'd mind me changing the default >>> login timeout for sshd to be (say) 5 minutes rather than 1 minute, >>> but I think he was busy at the time. Judging by the PR mentioned >>> above it should be at least 2m30s by default. Des, would you mind >>> this change being made? >> >> No objection, just let me see the patch first. >> >> DES > > Just a thought, wouldn't this open a new possibility for denial of > service attacks? > > Last year I already had to decrease the LoginGraceTime from 120 to 30 > seconds on my production boxes, but it didn't help much, so on top of > that I got to implement (reinvent the wheel again) a script tailing the > auth.log and firewalling bad gyus in order to secure sshd and let my > legitimate users in. > > I really miss the inetd features. A setting like "nowait/100/20/5" > (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) > would effectively bounce the bad guys, but AFAIK (correct me if I'm > wrong), ssh is no longer supposed to work via inetd and still has no > such capabilities. > > I'd be nice to have something like for instance the sendmail's client > and rate connection limits, but I guess this is not the right place to ask. > > Regards, > Atanas > ______ I solved this for me with the following pf(4) rule : pass in quick on $ext inet proto tcp from any to any port ssh flags S/SA \ keep state (source-track rule, max-src-conn $max_conn_per_ip, max-src-conn-rate $max_conn_rate, \ overload <tempban-ssh> flush global) with appropriate $max_conn_per_ip and $max_conn_rate limits, and "expiretable" in a cronjob to flush all entries in the <tempban-ssh> table which are older than predefined period. I hope this helps. - --niki -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9RS9HNAJ/fLbfrkRAi/bAKCe6T8RIGeVaq/EGkcxFa26jcK5xACeIoES YEQ6LosYdZ824h8dVwwRo7c= =ZhLi -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F514BD.608>