From owner-freebsd-security@FreeBSD.ORG  Mon May 10 09:16:53 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 99A0816A4CE
	for <freebsd-security@freebsd.org>;
	Mon, 10 May 2004 09:16:53 -0700 (PDT)
Received: from omoikane.mb.skyweb.ca (64-42-246-34.mb.skyweb.ca
	[64.42.246.34])	by mx1.FreeBSD.org (Postfix) with ESMTP id 3FF4743D2F
	for <freebsd-security@freebsd.org>;
	Mon, 10 May 2004 09:16:53 -0700 (PDT)	(envelope-from mark@skyweb.ca)
Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001)
	id BE92761D09; Mon, 10 May 2004 11:17:34 -0500 (CDT)
From: Mark Johnston <mjohnston@skyweb.ca>
To: freebsd-security@freebsd.org
Date: Mon, 10 May 2004 11:17:32 -0500
User-Agent: KMail/1.6.1
References: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2>
In-Reply-To: <6.0.3.0.0.20040510115614.04be3708@64.7.153.2>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200405101117.32934.mjohnston@skyweb.ca>
Subject: Re: rate limiting sshd connections ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2004 16:16:53 -0000

Mike Tancsa <mike@sentex.net> wrote:
> Does anyone know of a way to rate limit ssh connections from an IP address?

I haven't used it myself, but ipfw (not sure whether it's ipfw2-only) has a 
limit directive:

     limit {src-addr | src-port | dst-addr | dst-port} N
             The firewall will only allow N connections with the same set of
             parameters as specified in the rule.  One or more of source and
             destination addresses and ports can be specified.

If you're getting lots of connects in parallel, that should improve things.  
Here's another thought, using dummynet:

ipfw pipe 1 config bw 1Kbit mask src-ip 0xffffffff
ipfw add 10 pipe 1 tcp from any to me 22 setup

1 kbit is 128 bytes/sec, which is roughly 2-3 average SYN packets per second.  
More than enough for a regular host, but fairly limiting against a flood.  
You can also implement this at the border:

ipfw pipe 1 config bw 1Kbit mask src-ip 0xffffffff dst-ip 0xffffffff
ipfw add 10 pipe 1 tcp from any to (LAN) 22 setup

(Dropping the dst-ip mask here would limit SYNs from any given IP to your 
whole LAN.)

These aren't tested, but they may give you some ideas.

Mark