Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 8 May 2008 00:25:27 -0400
From:      Vince Sabio <vince@vjs.org>
To:        freebsd-questions@freebsd.org
Cc:        Gilles <gilles.ganault@free.fr>, David Kelly <dkelly@hiwaay.net>
Subject:   Re: [SSHd] Increasing wait time?
Message-ID:  <p05200f04c4482c6bafb9@[192.168.2.250]>
In-Reply-To: <200805060959.28509.beech@freebsd.org>
References:  <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com> <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <200805060959.28509.beech@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
** At 09:59 -0800 on 05/06/2008, Beech Rintoul wrote:
>On Tuesday 06 May 2008, David Kelly said:
>  > > On Tuesday 06 May 2008, Gilles said:
>>  > > Is there a way to configure SSHd, so that the wait time between
>  > > > login attempts increases after X failed tries?
>  >
>>  Depending on how you use ssh from external systems you could add
>>  firewall rules to disallow all but known sources.
>
>I was doing that in the past, but I found it to be inflexable and
>sometimes a pain to deal with. I sometimes need to access a server
>from a new location and that kind of hard lockdown just isn't
>practical.

I had the same problem (i.e., needing to access the server from a new 
location). In my case, one of the allowed sites is the server of a 
friend who has provided a shell account for me. When I'm on the road, 
I just ssh to his machine, and from there I can ssh into any of my 
machines. His machine effectively does all of the script-kiddie 
filtering for my site. ;-)

Note if you choose to do this: scp'ing files becomes a four-step 
process (i.e., scp file(s) to intermediate server, log in to 
intermediate server, scp to destination server, delete file(s) from 
intermediate server). Still worth it, though.

Remember the "wave theory" of script kiddies (WARNING: Gross 
oversimplification ahead): Quantum mechanics says that if you throw 
yourself against a wall several quintillion times, you'll eventually 
"wave" through it without leaving a mark on yourself or the wall.* 
Similarly, a sufficiently large number of break-in attempts by script 
kiddies will result in one of them "waving" straight past all of the 
security without leaving a scratch.

FWIW, I agree with cpghost -- it's strange that an addition as 
obvious and useful as this isn't already supported.

__________________________________________________________________________
Vince Sabio                                                  vince@vjs.org

* As if the first few billion tries didn't already leave some rather 
noticeable marks on both you AND the wall.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05200f04c4482c6bafb9>