Date: Mon, 19 Sep 2011 22:42:28 +0200 From: Damien Fleuriot <ml@my.gd> To: James Strother <jstrother9109@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: limit number of ssh connections Message-ID: <C68AA406-8C5B-4F32-984C-EF07D5445FCB@my.gd> In-Reply-To: <CAAOvGP3uPgcA2L%2B3%2BaLuAkyy3m72L3fxeDbt67gF1iC2xPMitQ@mail.gmail.com> References: <CAAOvGP2Gj0=ZAYZn2KZYUa3NTCHVtUdtQqHumM1D5Ea26dzPrQ@mail.gmail.com> <946851316461449@web97.yandex.ru> <CAAOvGP3uPgcA2L%2B3%2BaLuAkyy3m72L3fxeDbt67gF1iC2xPMitQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Again if your goal is to protect against attacks, you might want to look at s= shguard from the ports. Otherwise I believe there's a sshd_config directive to limit the number of c= oncurrent connections from a single source IP On 19 Sep 2011, at 22:02, James Strother <jstrother9109@gmail.com> wrote: > That's an interesting project, I hadn't realized port knocking had > become so easy to use. >=20 > Unfortunately, for this particular server, I need to be able to > provide a simple way for (a very limited number of) users to login > into the system remotely using a variety of OS platforms. So I don't > think port knocking is a good fit here. >=20 > Thanks, > Jim >=20 >=20 >=20 > 2011/9/19 =D0=93=D1=80=D0=B8=D0=B3=D0=BE=D1=80=D1=8C=D0=B5=D0=B2 =D0=90=D0= =BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 <mr.festin@yandex.ru>: >> If your target is protect freebsd box from bruting passwords from inet ma= ybe security/knockd will help you? >>=20 >> 19.09.2011, 23:05, "James Strother" <jstrother9109@gmail.com>: >>> Does anyone know a good way of limiting the number of ssh attempts >>> from a single IP address? >>>=20 >>> I found the following website, which describes a variety of approaches: >>>=20 >>> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SS= H_logins >>>=20 >>> But I am honestly not really happy with any of them. Continuously >>> polling log files for regex hits seems...well crude. Just to give you >>> an idea of what I mean, here were some of the issues I had. The >>> sshd-scan.sh script allows IPs to be reinstated, but the timing is >>> dependent on how frequently you rotate logs. sshguard has a pretty >>> website, but I can't actually find much useful documentation on how to >>> configure it. fail2ban looks like it might work with sufficient work, >>> but the defaults are terrible. By default, every time an IP is >>> reinstated, all IPs are reinstated. Not to mention, at present I >>> can't seem to get it to trigger any hits. >>>=20 >>> I suppose I could keep shopping, but the truth is I just think polling >>> log files is the wrong way to solve the problem. Anything based on >>> this approach is going to have a long latency and be highly dependent >>> on the unspecified and unstable formatting of log files (see >>> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >>> and the troubles an exclamation point can cause). >>>=20 >>> I would much much rather do something like this: >>>=20 >>> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks= _with_iptables/ >>>=20 >>> Does anyone know a way to do something similar with ipfw? >>>=20 >>> Thanks in advance, >>> Jim >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >>=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C68AA406-8C5B-4F32-984C-EF07D5445FCB>