Date: Wed, 07 May 2008 19:34:54 -0700 From: Norbert Papke <fbsd-ml@scrapper.ca> To: freebsd-questions@freebsd.org Subject: Re: [SSHd] Increasing wait time? Message-ID: <200805071934.54600.fbsd-ml@scrapper.ca> In-Reply-To: <200805071831.13898.fbsd.questions@rachie.is-a-geek.net> References: <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com> <200805062116.19999.fbsd-ml@scrapper.ca> <200805071831.13898.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 7, 2008, Mel wrote: > On Wednesday 07 May 2008 06:16:19 Norbert Papke wrote: > > On May 6, 2008, Gilles wrote: > > > Is there a way to configure SSHd, so that the wait time between login > > > attempts increases after X failed tries? > > > > I run sshd via inetd rather than as a stand-alone daemon. inetd provides > > optional rate limiting functionality. For instance. putting > > > > ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i > > > > into /etc/inetd.conf set a limit of > > > > * 20 overall ssh connections > > * 4 connection attempts per minute > > * at most 10 connections from a single IP > > > > This works very well on a personal server, not sure how it scales up. > > So if I copy over some files via scp, I can lock myself out. Fun stuff ;) Absolutely. But the same can happen with any rate limiting solution. However, in practice this has never been an issue for me. First, I tend to copy large sets of files using a single connection. Either 'scp -r' or by running tar/rsync through an ssh tunnel. Second, this kind of limit is enough to discourage script kiddies, but caps my downside risk to an acceptable (to me) one minute lock out. Anyway, it works for me. Cheers, -- Norbert.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805071934.54600.fbsd-ml>