From owner-freebsd-questions@FreeBSD.ORG Thu May 8 09:29:55 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3DCD106570B for ; Thu, 8 May 2008 09:29:55 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 702A28FC16 for ; Thu, 8 May 2008 09:29:49 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 36C9A1CD67; Thu, 8 May 2008 01:29:49 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Thu, 8 May 2008 11:29:46 +0200 User-Agent: KMail/1.9.7 References: <200805071831.13898.fbsd.questions@rachie.is-a-geek.net> <482278A3.7040304@ibctech.ca> In-Reply-To: <482278A3.7040304@ibctech.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805081129.47201.fbsd.questions@rachie.is-a-geek.net> Cc: Norbert Papke , Steve Bertrand Subject: Re: [SSHd] Increasing wait time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 09:29:55 -0000 On Thursday 08 May 2008 05:50:59 Steve Bertrand wrote: > >> ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i > >> > >> into /etc/inetd.conf set a limit of > >> > >> * 20 overall ssh connections > >> * 4 connection attempts per minute > >> * at most 10 connections from a single IP > >> > >> This works very well on a personal server, not sure how it scales up. > > > > So if I copy over some files via scp, I can lock myself out. Fun stuff ;) > > Come on... > > The comment was based on a 'personal' server for logins. > > How 'bout you explain why SCP would break this so the OP understands... > > Otherwise, explain why running an FTP session through one of the > server's SSH tunnels wouldn't be equally viable to running an unlimited > number of SCP sessions over normal TCP ;) because: for FILE in */*.[ch]; do scp ${FILE} host:/backup; done is quicker to write then setup tunnels. The point is, that there's a difference between failed login attempts and incoming connections. sshd logs failed login attempts, so it's easy to seperate them (sysutils/grok) and set the rate limit to an acceptable value, should one try to hammer the server by simply opening connections. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.