Date: Thu, 8 May 2008 11:29:46 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: Norbert Papke <fbsd-ml@scrapper.ca>, Steve Bertrand <iaccounts@ibctech.ca> Subject: Re: [SSHd] Increasing wait time? Message-ID: <200805081129.47201.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <482278A3.7040304@ibctech.ca> References: <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com> <200805071831.13898.fbsd.questions@rachie.is-a-geek.net> <482278A3.7040304@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 08 May 2008 05:50:59 Steve Bertrand wrote:
> >> ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i
> >>
> >> into /etc/inetd.conf set a limit of
> >>
> >> * 20 overall ssh connections
> >> * 4 connection attempts per minute
> >> * at most 10 connections from a single IP
> >>
> >> This works very well on a personal server, not sure how it scales up.
> >
> > So if I copy over some files via scp, I can lock myself out. Fun stuff ;)
>
> Come on...
>
> The comment was based on a 'personal' server for logins.
>
> How 'bout you explain why SCP would break this so the OP understands...
>
> Otherwise, explain why running an FTP session through one of the
> server's SSH tunnels wouldn't be equally viable to running an unlimited
> number of SCP sessions over normal TCP ;)
because:
for FILE in */*.[ch]; do scp ${FILE} host:/backup; done
is quicker to write then setup tunnels.
The point is, that there's a difference between failed login attempts and
incoming connections. sshd logs failed login attempts, so it's easy to
seperate them (sysutils/grok) and set the rate limit to an acceptable value,
should one try to hammer the server by simply opening connections.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805081129.47201.fbsd.questions>