From owner-freebsd-questions@FreeBSD.ORG  Thu May  8 02:35:50 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 387BB106564A
	for <freebsd-questions@freebsd.org>;
	Thu,  8 May 2008 02:35:50 +0000 (UTC)
	(envelope-from fbsd-ml@scrapper.ca)
Received: from pd3mo2so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10])
	by mx1.freebsd.org (Postfix) with ESMTP id F11B98FC0A
	for <freebsd-questions@freebsd.org>;
	Thu,  8 May 2008 02:35:49 +0000 (UTC)
	(envelope-from fbsd-ml@scrapper.ca)
Received: from pd2mr5so.prod.shaw.ca (pd2mr5so-qfe3.prod.shaw.ca [10.0.141.8])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with ESMTP id <0K0J007FQ368D780@l-daemon> for
	freebsd-questions@freebsd.org; Wed, 07 May 2008 20:34:56 -0600 (MDT)
Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148])
	by pd2mr5so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05
	(built Sep
	5 2006)) with ESMTP id <0K0J00IGX368S570@pd2mr5so.prod.shaw.ca> for
	freebsd-questions@freebsd.org; Wed, 07 May 2008 20:34:56 -0600 (MDT)
Received: from proven.lan ([24.85.241.34])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with ESMTP id <0K0J00JA9367OW30@l-daemon> for
	freebsd-questions@freebsd.org; Wed, 07 May 2008 20:34:55 -0600 (MDT)
Received: from proven.lan (localhost [127.0.0.1])	by proven.lan (8.14.2/8.14.2)
	with ESMTP id m482YtCs053263	for <freebsd-questions@freebsd.org>; Wed,
	07 May 2008 19:34:55 -0700 (PDT envelope-from fbsd-ml@scrapper.ca)
Received: from localhost (localhost [[UNIX: localhost]])
	by proven.lan (8.14.2/8.14.2/Submit)
	id m482YseU053262	for freebsd-questions@freebsd.org; Wed,
	07 May 2008 19:34:54 -0700 (PDT envelope-from fbsd-ml@scrapper.ca)
Date: Wed, 07 May 2008 19:34:54 -0700
From: Norbert Papke <fbsd-ml@scrapper.ca>
In-reply-to: <200805071831.13898.fbsd.questions@rachie.is-a-geek.net>
To: freebsd-questions@freebsd.org
Message-id: <200805071934.54600.fbsd-ml@scrapper.ca>
Organization: Archaeological Filing
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7bit
Content-disposition: inline
References: <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com>
	<200805062116.19999.fbsd-ml@scrapper.ca>
	<200805071831.13898.fbsd.questions@rachie.is-a-geek.net>
X-Authentication-warning: proven.lan: npapke set sender to fbsd-ml@scrapper.ca
	using -f
User-Agent: KMail/1.9.7
Subject: Re: [SSHd] Increasing wait time?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2008 02:35:50 -0000

On May 7, 2008, Mel wrote:
> On Wednesday 07 May 2008 06:16:19 Norbert Papke wrote:
> > On May 6, 2008, Gilles wrote:
> > > Is there a way to configure SSHd, so that the wait time between login
> > > attempts increases after X failed tries?
> >
> > I run sshd via inetd rather than as a stand-alone daemon.  inetd provides
> > optional rate limiting functionality.  For instance. putting
> >
> >    ssh stream  tcp  nowait/20/4/10  root  /usr/sbin/sshd  sshd -i
> >
> > into /etc/inetd.conf set a limit of
> >
> > * 20 overall ssh connections
> > * 4 connection attempts per minute
> > * at most 10 connections from a single IP
> >
> > This works very well on a personal server, not sure how it scales up.
>
> So if I copy over some files via scp, I can lock myself out. Fun stuff ;)

Absolutely.  But the same can happen with any rate limiting solution.

However, in practice this has never been an issue for me.  First, I tend to 
copy large sets of files using a single connection.  Either 'scp -r' or by 
running tar/rsync through an ssh tunnel.  Second, this kind of limit is 
enough to discourage script kiddies, but caps my downside risk to an 
acceptable (to me) one minute lock out.

Anyway, it works for me.

Cheers,

-- Norbert.