From owner-freebsd-stable@FreeBSD.ORG  Thu Feb 16 21:25:02 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 094C816A420;
	Thu, 16 Feb 2006 21:25:02 +0000 (GMT)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by mx1.FreeBSD.org (Postfix) with SMTP id F14E343D6D;
	Thu, 16 Feb 2006 21:24:59 +0000 (GMT)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from walton.maths.tcd.ie  ([134.226.81.10] helo=maths.tcd.ie)
	by salmon.maths.tcd.ie with SMTP id <aa23962@salmon>;
	16 Feb 2006 21:24:56 +0000 (GMT)
To: Atanas <atanas@asd.aplus.net>
In-reply-to: Your message of "Thu, 16 Feb 2006 12:42:24 PST."
	<43F4E3B0.1090806@asd.aplus.net> 
X-Request-Do: 
Date: Thu, 16 Feb 2006 21:24:55 +0000
From: David Malone <dwmalone@maths.tcd.ie>
Message-ID: <200602162124.aa23962@salmon.maths.tcd.ie>
Cc: yar@freebsd.org, freebsd-stable@freebsd.org,
	Lowell Gilbert <freebsd-stable-local@be-well.ilk.org>,
	Rostislav Krasny <rosti.bsd@gmail.com>,
	=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>,
	"Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <MH@kernel32.de>
Subject: Re: SSH login takes very long time...sometimes 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2006 21:25:02 -0000

> Just a thought, wouldn't this open a new possibility for denial of 
> service attacks?

I doubt it. I'm guessing you're thinking of an attack where someone
makes many connections to sshd in a short time and runs you out of
processes? I think you can protect against this with the MaxStartups
directive in sshd_config. The amount of time that an attacker has
to open many connections is probably not that important, as you can
open a lot of TCP connections in 1 second even with a small link.

> Last year I already had to decrease the LoginGraceTime from 120 to 30 
> seconds on my production boxes, but it didn't help much, so on top of 
> that I got to implement (reinvent the wheel again) a script tailing the 
> auth.log and firewalling bad gyus in order to secure sshd and let my 
> legitimate users in.

Are you trying to prevent the ssh scanners that just try well-known
combinations of usernames and passwords? It is not clear that you
gain much by firewalling these off, other than having fewer log
messages.

> I really miss the inetd features. A setting like "nowait/100/20/5" 
> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) 
> would effectively bounce the bad guys, but AFAIK (correct me if I'm 
> wrong), ssh is no longer supposed to work via inetd and still has no 
> such capabilities.

You can still run sshd through inetd (or, at least, the -i option
is still documented in the sshd man page). If does suggest that you
may need to reduce the key size to make this practical (increasing
LoginGraceTime here may help too ;-)

	David.