From owner-freebsd-questions@FreeBSD.ORG Thu May 8 05:25:31 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29F961065685 for ; Thu, 8 May 2008 05:25:31 +0000 (UTC) (envelope-from vince@vjs.org) Received: from mail.vjs.org (static-71-126-154-132.washdc.fios.verizon.net [71.126.154.132]) by mx1.freebsd.org (Postfix) with ESMTP id BA8758FC14 for ; Thu, 8 May 2008 05:25:30 +0000 (UTC) (envelope-from vince@vjs.org) Received: from [192.168.2.250] (71.126.154.142) by mail.vjs.org with ESMTP (Eudora Internet Mail Server 3.1.5); Wed, 7 May 2008 23:25:30 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <200805060959.28509.beech@freebsd.org> References: <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <200805060959.28509.beech@freebsd.org> X-Mailer: Eudora 8.0b19 for Cray SV-2 (beta release), unregistered Date: Thu, 8 May 2008 00:25:27 -0400 To: freebsd-questions@freebsd.org From: Vince Sabio Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Gilles , David Kelly Subject: Re: [SSHd] Increasing wait time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 05:25:31 -0000 ** At 09:59 -0800 on 05/06/2008, Beech Rintoul wrote: >On Tuesday 06 May 2008, David Kelly said: > > > On Tuesday 06 May 2008, Gilles said: >> > > Is there a way to configure SSHd, so that the wait time between > > > > login attempts increases after X failed tries? > > >> Depending on how you use ssh from external systems you could add >> firewall rules to disallow all but known sources. > >I was doing that in the past, but I found it to be inflexable and >sometimes a pain to deal with. I sometimes need to access a server >from a new location and that kind of hard lockdown just isn't >practical. I had the same problem (i.e., needing to access the server from a new location). In my case, one of the allowed sites is the server of a friend who has provided a shell account for me. When I'm on the road, I just ssh to his machine, and from there I can ssh into any of my machines. His machine effectively does all of the script-kiddie filtering for my site. ;-) Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Remember the "wave theory" of script kiddies (WARNING: Gross oversimplification ahead): Quantum mechanics says that if you throw yourself against a wall several quintillion times, you'll eventually "wave" through it without leaving a mark on yourself or the wall.* Similarly, a sufficiently large number of break-in attempts by script kiddies will result in one of them "waving" straight past all of the security without leaving a scratch. FWIW, I agree with cpghost -- it's strange that an addition as obvious and useful as this isn't already supported. __________________________________________________________________________ Vince Sabio vince@vjs.org * As if the first few billion tries didn't already leave some rather noticeable marks on both you AND the wall.