From owner-freebsd-stable@FreeBSD.ORG Tue Feb 21 09:44:00 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79AF016A420; Tue, 21 Feb 2006 09:44:00 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7E4643D4C; Tue, 21 Feb 2006 09:43:59 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 315FA4314; Fri, 17 Feb 2006 09:39:48 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67288-17; Fri, 17 Feb 2006 09:39:44 +0100 (CET) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.unixoid.de (Postfix) with ESMTP id EB51A3EF7; Fri, 17 Feb 2006 09:39:43 +0100 (CET) Message-ID: <43F58BCD.1070202@kernel32.de> Date: Fri, 17 Feb 2006 09:39:41 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Atanas References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net> In-Reply-To: <43F4E3B0.1090806@asd.aplus.net> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: yar@freebsd.org, freebsd-stable@freebsd.org, Lowell Gilbert , David Malone , Rostislav Krasny , =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , "Michael A. Koerber" Subject: Re: SSH login takes very long time...sometimes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 09:44:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hej there, Atanas wrote: > Dag-Erling Smørgrav said the following on 02/15/06 23:35: > >> David Malone writes: > Last year I already had to decrease the LoginGraceTime from 120 to 30 > seconds on my production boxes, but it didn't help much, so on top of > that I got to implement (reinvent the wheel again) a script tailing the > auth.log and firewalling bad gyus in order to secure sshd and let my > legitimate users in. > You could get rid of parsing auth.log and everything and just use pf(4) instead. Look at that: # sshspammer table table persist block log quick from # sshspammer # more than 6 ssh attempts in 15 seconds will be blocked ;) pass in quick on $ext_if proto tcp to ($ext_if) port ssh $tcp_flags (max-src-con n 10, max-src-conn-rate 6/15, overload flush global) > I really miss the inetd features. A setting like "nowait/100/20/5" > (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) > would effectively bounce the bad guys, but AFAIK (correct me if I'm > wrong), ssh is no longer supposed to work via inetd and still has no > such capabilities. > I believe what you are searching for is indeed the pf(4) stuff mentioned above :) > I'd be nice to have something like for instance the sendmail's client > and rate connection limits, but I guess this is not the right place to ask. > I believe it is. It's about FreeBSD and about Security ;-) regards, Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD9YvKgAq87Uq5FMsRAik2AKDMXXj4K0Pb9i0Qc6Cqowtzp6dynwCeIOpn gwk9aMT1skGMWis8tRL1Xtk= =jV8k -----END PGP SIGNATURE-----