Date: Fri, 7 Apr 2006 11:54:45 +0200 (CEST) From: xdavid@lib-eth.natur.cuni.cz To: freebsd-amd64@freebsd.org Subject: Re: connection rate limitation for sshd - is it possible ? Message-ID: <Pine.LNX.4.64.0604071147320.18549@svinew.natur.cuni.cz> In-Reply-To: <200604061133.k36BXTve097808@lurza.secnetix.de> References: <200604061133.k36BXTve097808@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> This is off-topic (not amd64-related), > and you hijacked another thread, but anyway ... The original question was how to set sthg with IPF on my AMD64 box, so I thought it is amd64-related, sorry for my missunderstanding of the purpose of this list. > > please, is there a way to limit the number of connections to openssh > > daemon per time period per source ip address ? I am using this on linux > > boxes with iptables, but couldn't figure out how to do this with IPF on > > FreeBSD. If it is not possible, is there another way how to do this ? Or > > do you think it is (un)wise to run sshd under inetd with "-C" switch or > > "max-connections-per-ip-per-minute" parameter ? > > It is unwise, because sshd has to generate the server key > each time it is started -- if started from inetd, that > would be each time a client connection is accepted. Thank you for giving me good reasons not to do it. > Maybe using "MaxStartups" in your sshd_config would be a > better solution (refer to the manpage for details). The problem is it does not track source IPs so there is a DOS risk. I got another advice how to set up PF, so I'll play with, but as the short term solution I probably use inetd while there are only a few people using sshd on that machine now and more users will be added later. Best Regards, David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0604071147320.18549>