On Wed, Feb 27, 2008 at 10:39:15PM +0100, Penguin Lover Anno v. Heimburg squawked: > It limits the number of new connections on each port in > INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT > within INPUT_LIMITER_TIME.
My experience suggests that finding the right INPUT_LIMITER_TIME would be difficult. From my experience (by reading the logs after I cobbled together a patch work solution to blacklist hosts), the typical behaviour of a sshd bruteforce attack, after you start dropping packets from it, is that it will begin to add a geometrically increasing sleep time between attempts and continue for about 30 minutes to an hour. So if your time parameter is on the order of several seconds, the attack will be like try, try, try, doh! connection timed out, wait a bit, try again, doh! still timed out, wait a bit longer, hey it works now, try, try , doh! time out again rinse and repeat. But if you set the time parameter to minutes or tens of minutes, then you risk banning yourself if you need multiple instances of ssh. (Yes, screen is nice, but sometimes I like to keep two terminals open. And there's always the case of "saving work, quitting, logging out; doh! forgot to do something, log back in again" scenario.) W -- When a clock is hungry it goes back four seconds. Sortir en Pantoufles: up 447 days, 14:54 -- [email protected] mailing list
