limit number of ssh connections

Damien Fleuriot ml at my.gd
Mon Sep 19 20:42:36 UTC 2011 

Again if your goal is to protect against attacks, you might want to look at sshguard from the ports.

Otherwise I believe there's a sshd_config directive to limit the number of concurrent connections from a single source IP

On 19 Sep 2011, at 22:02, James Strother <jstrother9109 at gmail.com> wrote:

> That's an interesting project, I hadn't realized port knocking had
> become so easy to use.
> 
> Unfortunately, for this particular server, I need to be able to
> provide a simple way for (a very limited number of) users to login
> into the system remotely using a variety of OS platforms.  So I don't
> think port knocking is a good fit here.
> 
> Thanks,
>  Jim
> 
> 
> 
> 2011/9/19 Григорьев Александр <mr.festin at yandex.ru>:
>> If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you?
>> 
>> 19.09.2011, 23:05, "James Strother" <jstrother9109 at gmail.com>:
>>> Does anyone know a good way of limiting the number of ssh attempts
>>> from a single IP address?
>>> 
>>> I found the following website, which describes a variety of approaches:
>>> 
>>> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins
>>> 
>>> But I am honestly not really happy with any of them.  Continuously
>>> polling log files for regex hits seems...well crude.  Just to give you
>>> an idea of what I mean, here were some of the issues I had. The
>>> sshd-scan.sh script allows IPs to be reinstated, but the timing is
>>> dependent on how frequently you rotate logs.  sshguard has a pretty
>>> website, but I can't actually find much useful documentation on how to
>>> configure it.  fail2ban looks like it might work with sufficient work,
>>> but the defaults are terrible.  By default, every time an IP is
>>> reinstated, all IPs are reinstated.  Not to mention, at present I
>>> can't seem to get it to trigger any hits.
>>> 
>>> I suppose I could keep shopping, but the truth is I just think polling
>>> log files is the wrong way to solve the problem.  Anything based on
>>> this approach is going to have a long latency and be highly dependent
>>> on the unspecified and unstable formatting of log files (see
>>> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4)
>>> and the troubles an exclamation point can cause).
>>> 
>>> I would much much rather do something like this:
>>> 
>>> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
>>> 
>>> Does anyone know a way to do something similar with ipfw?
>>> 
>>> Thanks in advance,
>>>   Jim
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list