From owner-freebsd-stable@FreeBSD.ORG Fri Feb 17 00:11:53 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D86016A420 for ; Fri, 17 Feb 2006 00:11:53 +0000 (GMT) (envelope-from nike_d@cytexbg.com) Received: from mail.interbgc.com (mx02.interbgc.com [217.9.224.227]) by mx1.FreeBSD.org (Postfix) with SMTP id 642E043D45 for ; Fri, 17 Feb 2006 00:11:51 +0000 (GMT) (envelope-from nike_d@cytexbg.com) Received: (qmail 96020 invoked from network); 17 Feb 2006 00:11:49 -0000 Received: from nike_d@cytexbg.com by keeper.interbgc.com by uid 1002 with qmail-scanner-1.14 (uvscan: v4.2.40/v4374. spamassassin: 2.63. Clear:SA:0(0.1/8.0):. Processed in 4.160647 secs); 17 Feb 2006 00:11:49 -0000 X-Spam-Status: No, hits=0.1 required=8.0 Received: from niked.ddns.cablebg.net (HELO tormentor.totalterror.net) (85.130.14.211) by mx02.interbgc.com with SMTP; 17 Feb 2006 00:11:44 -0000 Received: (qmail 8359 invoked from network); 17 Feb 2006 00:11:41 -0000 Received: from unknown (HELO ?10.0.0.3?) (10.0.0.3) by tormentor.totalterror.net with SMTP; 17 Feb 2006 00:11:41 -0000 Message-ID: <43F514BD.608@cytexbg.com> Date: Fri, 17 Feb 2006 02:11:41 +0200 From: Niki Denev User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Atanas References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net> In-Reply-To: <43F4E3B0.1090806@asd.aplus.net> X-Enigmail-Version: 0.94.0.0 OpenPGP: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-stable@freebsd.org, Lowell Gilbert , David Malone , Rostislav Krasny , "Michael A. Koerber" , Marian Hettwer Subject: Re: SSH login takes very long time...sometimes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 00:11:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atanas wrote: > Dag-Erling Smørgrav said the following on 02/15/06 23:35: >> David Malone writes: >>> I did once mail des@ to ask him if he'd mind me changing the default >>> login timeout for sshd to be (say) 5 minutes rather than 1 minute, >>> but I think he was busy at the time. Judging by the PR mentioned >>> above it should be at least 2m30s by default. Des, would you mind >>> this change being made? >> >> No objection, just let me see the patch first. >> >> DES > > Just a thought, wouldn't this open a new possibility for denial of > service attacks? > > Last year I already had to decrease the LoginGraceTime from 120 to 30 > seconds on my production boxes, but it didn't help much, so on top of > that I got to implement (reinvent the wheel again) a script tailing the > auth.log and firewalling bad gyus in order to secure sshd and let my > legitimate users in. > > I really miss the inetd features. A setting like "nowait/100/20/5" > (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) > would effectively bounce the bad guys, but AFAIK (correct me if I'm > wrong), ssh is no longer supposed to work via inetd and still has no > such capabilities. > > I'd be nice to have something like for instance the sendmail's client > and rate connection limits, but I guess this is not the right place to ask. > > Regards, > Atanas > ______ I solved this for me with the following pf(4) rule : pass in quick on $ext inet proto tcp from any to any port ssh flags S/SA \ keep state (source-track rule, max-src-conn $max_conn_per_ip, max-src-conn-rate $max_conn_rate, \ overload flush global) with appropriate $max_conn_per_ip and $max_conn_rate limits, and "expiretable" in a cronjob to flush all entries in the table which are older than predefined period. I hope this helps. - --niki -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9RS9HNAJ/fLbfrkRAi/bAKCe6T8RIGeVaq/EGkcxFa26jcK5xACeIoES YEQ6LosYdZ824h8dVwwRo7c= =ZhLi -----END PGP SIGNATURE-----