Date: Thu, 16 Feb 2006 12:42:24 -0800 From: Atanas <atanas@asd.aplus.net> To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: yar@freebsd.org, freebsd-stable@freebsd.org, Lowell Gilbert <freebsd-stable-local@be-well.ilk.org>, David Malone <dwmalone@maths.tcd.ie>, Rostislav Krasny <rosti.bsd@gmail.com>, "Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <MH@kernel32.de> Subject: Re: SSH login takes very long time...sometimes Message-ID: <43F4E3B0.1090806@asd.aplus.net> In-Reply-To: <86irrfoix5.fsf@xps.des.no> References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smørgrav said the following on 02/15/06 23:35: > David Malone <dwmalone@maths.tcd.ie> writes: >> I did once mail des@ to ask him if he'd mind me changing the default >> login timeout for sshd to be (say) 5 minutes rather than 1 minute, >> but I think he was busy at the time. Judging by the PR mentioned >> above it should be at least 2m30s by default. Des, would you mind >> this change being made? > > No objection, just let me see the patch first. > > DES Just a thought, wouldn't this open a new possibility for denial of service attacks? Last year I already had to decrease the LoginGraceTime from 120 to 30 seconds on my production boxes, but it didn't help much, so on top of that I got to implement (reinvent the wheel again) a script tailing the auth.log and firewalling bad gyus in order to secure sshd and let my legitimate users in. I really miss the inetd features. A setting like "nowait/100/20/5" (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) would effectively bounce the bad guys, but AFAIK (correct me if I'm wrong), ssh is no longer supposed to work via inetd and still has no such capabilities. I'd be nice to have something like for instance the sendmail's client and rate connection limits, but I guess this is not the right place to ask. Regards, Atanas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F4E3B0.1090806>