From owner-freebsd-amd64@FreeBSD.ORG Thu Apr 6 11:33:52 2006 Return-Path: X-Original-To: freebsd-amd64@FreeBSD.ORG Delivered-To: freebsd-amd64@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F75F16A401 for ; Thu, 6 Apr 2006 11:33:52 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FC8C43D8A for ; Thu, 6 Apr 2006 11:33:36 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (cfqpsz@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k36BXUfR097809 for ; Thu, 6 Apr 2006 13:33:35 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k36BXTve097808; Thu, 6 Apr 2006 13:33:29 +0200 (CEST) (envelope-from olli) Date: Thu, 6 Apr 2006 13:33:29 +0200 (CEST) Message-Id: <200604061133.k36BXTve097808@lurza.secnetix.de> From: Oliver Fromme To: freebsd-amd64@FreeBSD.ORG X-Newsgroups: list.freebsd-amd64 User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 06 Apr 2006 13:33:35 +0200 (CEST) Cc: Subject: Re: connection rate limitation for sshd - is it possible ? X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-amd64@FreeBSD.ORG List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 11:33:52 -0000 This is off-topic (not amd64-related), and you hijacked another thread, but anyway ... xdavid@svinew.natur.cuni.cz wrote: > please, is there a way to limit the number of connections to openssh > daemon per time period per source ip address ? I am using this on linux > boxes with iptables, but couldn't figure out how to do this with IPF on > FreeBSD. If it is not possible, is there another way how to do this ? Or > do you think it is (un)wise to run sshd under inetd with "-C" switch or > "max-connections-per-ip-per-minute" parameter ? It is unwise, because sshd has to generate the server key each time it is started -- if started from inetd, that would be each time a client connection is accepted. Please read the description of the "-i" option in the sshd manpage. It explains it pretty well. Maybe using "MaxStartups" in your sshd_config would be a better solution (refer to the manpage for details). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "If you think C++ is not overly complicated, just what is a protected abstract virtual base pure virtual private destructor, and when was the last time you needed one?" -- Tom Cargil, C++ Journal