From owner-freebsd-stable@FreeBSD.ORG Thu Feb 16 22:38:57 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 834C116A420 for ; Thu, 16 Feb 2006 22:38:57 +0000 (GMT) (envelope-from chris@i13i.com) Received: from admin.i13i.com (admin.i13i.com [208.98.1.83]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C55243D79 for ; Thu, 16 Feb 2006 22:38:48 +0000 (GMT) (envelope-from chris@i13i.com) Received: (qmail 73163 invoked from network); 16 Feb 2006 22:49:04 -0000 Received: from mail.i13i.com (HELO webmail.i13i.com) (208.98.15.133) by admin.i13i.com with SMTP; 16 Feb 2006 22:49:04 -0000 Received: from 201.144.115.229 (SquirrelMail authenticated user chris@i13i.com) by webmail.i13i.com with HTTP; Thu, 16 Feb 2006 16:49:04 -0600 (CST) Message-ID: <2646.201.144.115.229.1140130144.squirrel@webmail.i13i.com> In-Reply-To: <200602162124.aa23962@salmon.maths.tcd.ie> References: Your message of "Thu, 16 Feb 2006 12:42:24 PST." <43F4E3B0.1090806@asd.aplus.net> <200602162124.aa23962@salmon.maths.tcd.ie> Date: Thu, 16 Feb 2006 16:49:04 -0600 (CST) From: chris@i13i.com To: "David Malone" User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: yar@freebsd.org, freebsd-stable@freebsd.org, Lowell Gilbert , Atanas , Rostislav Krasny , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , "Michael A. Koerber" , Marian Hettwer Subject: Re: SSH login takes very long time...sometimes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 22:38:57 -0000 Hello, You should try Xinetd as it has more options to help with this. I beleive you SSH problem is due to a DNS/RDNS problem. Regards, Chris >> Just a thought, wouldn't this open a new possibility for denial of >> service attacks? > > I doubt it. I'm guessing you're thinking of an attack where someone > makes many connections to sshd in a short time and runs you out of > processes? I think you can protect against this with the MaxStartups > directive in sshd_config. The amount of time that an attacker has > to open many connections is probably not that important, as you can > open a lot of TCP connections in 1 second even with a small link. > >> Last year I already had to decrease the LoginGraceTime from 120 to 30 >> seconds on my production boxes, but it didn't help much, so on top of >> that I got to implement (reinvent the wheel again) a script tailing the >> auth.log and firewalling bad gyus in order to secure sshd and let my >> legitimate users in. > > Are you trying to prevent the ssh scanners that just try well-known > combinations of usernames and passwords? It is not clear that you > gain much by firewalling these off, other than having fewer log > messages. > >> I really miss the inetd features. A setting like "nowait/100/20/5" >> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) >> would effectively bounce the bad guys, but AFAIK (correct me if I'm >> wrong), ssh is no longer supposed to work via inetd and still has no >> such capabilities. > > You can still run sshd through inetd (or, at least, the -i option > is still documented in the sshd man page). If does suggest that you > may need to reduce the key size to make this practical (increasing > LoginGraceTime here may help too ;-) > > David. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >