SSH login takes very long time...sometimes
Atanas
atanas at asd.aplus.net
Thu Feb 16 12:35:05 PST 2006
Dag-Erling Smørgrav said the following on 02/15/06 23:35:
> David Malone <dwmalone at maths.tcd.ie> writes:
>> I did once mail des@ to ask him if he'd mind me changing the default
>> login timeout for sshd to be (say) 5 minutes rather than 1 minute,
>> but I think he was busy at the time. Judging by the PR mentioned
>> above it should be at least 2m30s by default. Des, would you mind
>> this change being made?
>
> No objection, just let me see the patch first.
>
> DES
Just a thought, wouldn't this open a new possibility for denial of
service attacks?
Last year I already had to decrease the LoginGraceTime from 120 to 30
seconds on my production boxes, but it didn't help much, so on top of
that I got to implement (reinvent the wheel again) a script tailing the
auth.log and firewalling bad gyus in order to secure sshd and let my
legitimate users in.
I really miss the inetd features. A setting like "nowait/100/20/5"
(/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]])
would effectively bounce the bad guys, but AFAIK (correct me if I'm
wrong), ssh is no longer supposed to work via inetd and still has no
such capabilities.
I'd be nice to have something like for instance the sendmail's client
and rate connection limits, but I guess this is not the right place to ask.
Regards,
Atanas
More information about the freebsd-stable
mailing list