From owner-cvs-all Sun Dec 5 22:32:30 1999 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5EA5814CB1; Sun, 5 Dec 1999 22:32:23 -0800 (PST) (envelope-from green@FreeBSD.org) Received: (from green@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA71815; Sun, 5 Dec 1999 22:32:23 -0800 (PST) (envelope-from green@FreeBSD.org) Message-Id: <199912060632.WAA71815@freefall.freebsd.org> From: Brian Feldman Date: Sun, 5 Dec 1999 22:32:23 -0800 (PST) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/security/openssh Makefile ports/security/openssh/patches patch-ap patch-aq patch-ar patch-an patch-ao Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk green 1999/12/05 22:32:23 PST Modified files: security/openssh Makefile security/openssh/patches patch-an patch-ao Added files: security/openssh/patches patch-ap patch-aq patch-ar Log: In the meantime (while things are being worked and decided on on the OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via running the system out of resources. In reality, this wouldn't be a full DoS, but would make a system slower, but this is a better thing to do than let the system get loaded down. So here we are, rate-limiting. The default settings are now: Five connections are allowed to authenticate (and not be rejected) in a period of ten seconds. One minute is given for login grace time. More work in this area is being done by alfred@FreeBSD.org and markus@OpenBSD.org, at the very least. This is, essentially, a stopgap solution; however, it is a properly implemented and documented one, and has an easily modifiable framework. Revision Changes Path 1.29 +3 -3 ports/security/openssh/Makefile 1.5 +134 -15 ports/security/openssh/patches/patch-an 1.4 +8 -5 ports/security/openssh/patches/patch-ao To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message