Le jeudi 30 juin 2005 C 14:30 -0400, Garance A Drosihn a C)crit : > At 1:48 PM -0400 6/30/05, Roy Morris wrote: > >> > >>As to the speed of connections, I've been meaning to check into > >>the idea that every ssh session would see some short delay > >>(maybe 1/2 of a second). Something where syslog would see any > >>failure message immediately, but the incoming connection would > >>always see that extra delay. I'm not sure that would really help > >>much, but it might make me feel a little better... > > > > > >" max-src-conn-rate <number> / <seconds>"
Today, I look in my log file and just before an attack i see that there is this kind of line : Jul 18 22:40:51 llaw sshd[15543]: Did not receive identification string from 80.57.221.58 so with swatch and pf (for example) it's possible to block this ip for some hours just before the attack. Romain > True, but that's not quite the same thing. It is helpful, and now > that you mention it I probably should do that on my machines which > are setup with 'pf'. But I would also like to slow down the bad guys > right at the first connection, every connection, even if the attack > is 100 different machines each making one connection per second. > (although I'm not sure that this delay would really solve anything...) > > It looks like /etc/ssh/sshd_config also supports MaxAuthTries and > MaxStartups, which might be of interest for the original poster. > -- Romain GAILLEGUE <[EMAIL PROTECTED]>
