From owner-freebsd-amd64@FreeBSD.ORG Fri Apr 7 09:54:53 2006 Return-Path: X-Original-To: freebsd-amd64@freebsd.org Delivered-To: freebsd-amd64@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DD2E16A402 for ; Fri, 7 Apr 2006 09:54:53 +0000 (UTC) (envelope-from xdavid@lib-eth.natur.cuni.cz) Received: from svinew.natur.cuni.cz (svinew.natur.cuni.cz [195.113.56.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81EC943D48 for ; Fri, 7 Apr 2006 09:54:52 +0000 (GMT) (envelope-from xdavid@lib-eth.natur.cuni.cz) Received: from svinew.natur.cuni.cz (svinew.natur.cuni.cz [127.0.0.1]) by svinew.natur.cuni.cz (8.13.1/8.13.1) with ESMTP id k379sjkT022815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 7 Apr 2006 11:54:50 +0200 Received: from localhost (xdavid@localhost) by svinew.natur.cuni.cz (8.13.1/8.13.1/Submit) with ESMTP id k379sjCI022812 for ; Fri, 7 Apr 2006 11:54:45 +0200 Date: Fri, 7 Apr 2006 11:54:45 +0200 (CEST) From: xdavid@lib-eth.natur.cuni.cz To: freebsd-amd64@freebsd.org In-Reply-To: <200604061133.k36BXTve097808@lurza.secnetix.de> Message-ID: References: <200604061133.k36BXTve097808@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: connection rate limitation for sshd - is it possible ? X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Apr 2006 09:54:53 -0000 > This is off-topic (not amd64-related), > and you hijacked another thread, but anyway ... The original question was how to set sthg with IPF on my AMD64 box, so I thought it is amd64-related, sorry for my missunderstanding of the purpose of this list. > > please, is there a way to limit the number of connections to openssh > > daemon per time period per source ip address ? I am using this on linux > > boxes with iptables, but couldn't figure out how to do this with IPF on > > FreeBSD. If it is not possible, is there another way how to do this ? Or > > do you think it is (un)wise to run sshd under inetd with "-C" switch or > > "max-connections-per-ip-per-minute" parameter ? > > It is unwise, because sshd has to generate the server key > each time it is started -- if started from inetd, that > would be each time a client connection is accepted. Thank you for giving me good reasons not to do it. > Maybe using "MaxStartups" in your sshd_config would be a > better solution (refer to the manpage for details). The problem is it does not track source IPs so there is a DOS risk. I got another advice how to set up PF, so I'll play with, but as the short term solution I probably use inetd while there are only a few people using sshd on that machine now and more users will be added later. Best Regards, David