SSH login takes very long time...sometimes
Niki Denev
nike_d at cytexbg.com
Thu Feb 16 16:11:53 PST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Atanas wrote:
> Dag-Erling Smørgrav said the following on 02/15/06 23:35:
>> David Malone <dwmalone at maths.tcd.ie> writes:
>>> I did once mail des@ to ask him if he'd mind me changing the default
>>> login timeout for sshd to be (say) 5 minutes rather than 1 minute,
>>> but I think he was busy at the time. Judging by the PR mentioned
>>> above it should be at least 2m30s by default. Des, would you mind
>>> this change being made?
>>
>> No objection, just let me see the patch first.
>>
>> DES
>
> Just a thought, wouldn't this open a new possibility for denial of
> service attacks?
>
> Last year I already had to decrease the LoginGraceTime from 120 to 30
> seconds on my production boxes, but it didn't help much, so on top of
> that I got to implement (reinvent the wheel again) a script tailing the
> auth.log and firewalling bad gyus in order to secure sshd and let my
> legitimate users in.
>
> I really miss the inetd features. A setting like "nowait/100/20/5"
> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]])
> would effectively bounce the bad guys, but AFAIK (correct me if I'm
> wrong), ssh is no longer supposed to work via inetd and still has no
> such capabilities.
>
> I'd be nice to have something like for instance the sendmail's client
> and rate connection limits, but I guess this is not the right place to ask.
>
> Regards,
> Atanas
> ______
I solved this for me with the following pf(4) rule :
pass in quick on $ext inet proto tcp from any to any port ssh flags S/SA \
keep state (source-track rule, max-src-conn $max_conn_per_ip, max-src-conn-rate $max_conn_rate, \
overload <tempban-ssh> flush global)
with appropriate $max_conn_per_ip and $max_conn_rate limits,
and "expiretable" in a cronjob to flush all entries in the <tempban-ssh> table which
are older than predefined period.
I hope this helps.
- --niki
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD9RS9HNAJ/fLbfrkRAi/bAKCe6T8RIGeVaq/EGkcxFa26jcK5xACeIoES
YEQ6LosYdZ824h8dVwwRo7c=
=ZhLi
-----END PGP SIGNATURE-----
More information about the freebsd-stable
mailing list