Date: Thu, 16 Feb 2006 21:24:55 +0000 From: David Malone <dwmalone@maths.tcd.ie> To: Atanas <atanas@asd.aplus.net> Cc: yar@freebsd.org, freebsd-stable@freebsd.org, Lowell Gilbert <freebsd-stable-local@be-well.ilk.org>, Rostislav Krasny <rosti.bsd@gmail.com>, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, "Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <MH@kernel32.de> Subject: Re: SSH login takes very long time...sometimes Message-ID: <200602162124.aa23962@salmon.maths.tcd.ie> In-Reply-To: Your message of "Thu, 16 Feb 2006 12:42:24 PST." <43F4E3B0.1090806@asd.aplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Just a thought, wouldn't this open a new possibility for denial of > service attacks? I doubt it. I'm guessing you're thinking of an attack where someone makes many connections to sshd in a short time and runs you out of processes? I think you can protect against this with the MaxStartups directive in sshd_config. The amount of time that an attacker has to open many connections is probably not that important, as you can open a lot of TCP connections in 1 second even with a small link. > Last year I already had to decrease the LoginGraceTime from 120 to 30 > seconds on my production boxes, but it didn't help much, so on top of > that I got to implement (reinvent the wheel again) a script tailing the > auth.log and firewalling bad gyus in order to secure sshd and let my > legitimate users in. Are you trying to prevent the ssh scanners that just try well-known combinations of usernames and passwords? It is not clear that you gain much by firewalling these off, other than having fewer log messages. > I really miss the inetd features. A setting like "nowait/100/20/5" > (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) > would effectively bounce the bad guys, but AFAIK (correct me if I'm > wrong), ssh is no longer supposed to work via inetd and still has no > such capabilities. You can still run sshd through inetd (or, at least, the -i option is still documented in the sshd man page). If does suggest that you may need to reduce the key size to make this practical (increasing LoginGraceTime here may help too ;-) David.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602162124.aa23962>