SSH login takes very long time...sometimes
chris at i13i.com
chris at i13i.com
Thu Feb 16 14:38:57 PST 2006
Hello,
You should try Xinetd as it has more options to help with this. I beleive
you SSH problem is due to a DNS/RDNS problem.
Regards,
Chris
>> Just a thought, wouldn't this open a new possibility for denial of
>> service attacks?
>
> I doubt it. I'm guessing you're thinking of an attack where someone
> makes many connections to sshd in a short time and runs you out of
> processes? I think you can protect against this with the MaxStartups
> directive in sshd_config. The amount of time that an attacker has
> to open many connections is probably not that important, as you can
> open a lot of TCP connections in 1 second even with a small link.
>
>> Last year I already had to decrease the LoginGraceTime from 120 to 30
>> seconds on my production boxes, but it didn't help much, so on top of
>> that I got to implement (reinvent the wheel again) a script tailing the
>> auth.log and firewalling bad gyus in order to secure sshd and let my
>> legitimate users in.
>
> Are you trying to prevent the ssh scanners that just try well-known
> combinations of usernames and passwords? It is not clear that you
> gain much by firewalling these off, other than having fewer log
> messages.
>
>> I really miss the inetd features. A setting like "nowait/100/20/5"
>> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]])
>> would effectively bounce the bad guys, but AFAIK (correct me if I'm
>> wrong), ssh is no longer supposed to work via inetd and still has no
>> such capabilities.
>
> You can still run sshd through inetd (or, at least, the -i option
> is still documented in the sshd man page). If does suggest that you
> may need to reduce the key size to make this practical (increasing
> LoginGraceTime here may help too ;-)
>
> David.
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
More information about the freebsd-stable
mailing list