From owner-freebsd-stable@FreeBSD.ORG  Thu Feb 16 20:35:04 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D950F16A420;
	Thu, 16 Feb 2006 20:35:04 +0000 (GMT)
	(envelope-from atanas@asd.aplus.net)
Received: from pro20.abac.com (pro20.abac.com [66.226.64.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0D68643D49;
	Thu, 16 Feb 2006 20:35:01 +0000 (GMT)
	(envelope-from atanas@asd.aplus.net)
Received: from [216.55.129.41] (asd0.aplus.net [216.55.129.41])
	(authenticated bits=0)
	by pro20.abac.com (8.13.4/8.13.4) with ESMTP id k1GKYmdh074367;
	Thu, 16 Feb 2006 12:34:49 -0800 (PST)
	(envelope-from atanas@asd.aplus.net)
Message-ID: <43F4E3B0.1090806@asd.aplus.net>
Date: Thu, 16 Feb 2006 12:42:24 -0800
From: Atanas <atanas@asd.aplus.net>
User-Agent: Thunderbird 1.5 (X11/20051201)
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>
References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com>	<20051227101621.GA16276@walton.maths.tcd.ie>
	<86irrfoix5.fsf@xps.des.no>
In-Reply-To: <86irrfoix5.fsf@xps.des.no>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: 1.47 (SPF_SOFTFAIL)
Cc: yar@freebsd.org, freebsd-stable@freebsd.org,
	Lowell Gilbert <freebsd-stable-local@be-well.ilk.org>,
	David Malone <dwmalone@maths.tcd.ie>,
	Rostislav Krasny <rosti.bsd@gmail.com>,
	"Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <MH@kernel32.de>
Subject: Re: SSH login takes very long time...sometimes
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2006 20:35:05 -0000

Dag-Erling Smørgrav said the following on 02/15/06 23:35:
> David Malone <dwmalone@maths.tcd.ie> writes:
>> I did once mail des@ to ask him if he'd mind me changing the default
>> login timeout for sshd to be (say) 5 minutes rather than 1 minute,
>> but I think he was busy at the time. Judging by the PR mentioned
>> above it should be at least 2m30s by default. Des, would you mind
>> this change being made?
> 
> No objection, just let me see the patch first.
> 
> DES

Just a thought, wouldn't this open a new possibility for denial of 
service attacks?

Last year I already had to decrease the LoginGraceTime from 120 to 30 
seconds on my production boxes, but it didn't help much, so on top of 
that I got to implement (reinvent the wheel again) a script tailing the 
auth.log and firewalling bad gyus in order to secure sshd and let my 
legitimate users in.

I really miss the inetd features. A setting like "nowait/100/20/5" 
(/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) 
would effectively bounce the bad guys, but AFAIK (correct me if I'm 
wrong), ssh is no longer supposed to work via inetd and still has no 
such capabilities.

I'd be nice to have something like for instance the sendmail's client 
and rate connection limits, but I guess this is not the right place to ask.

Regards,
Atanas