Re: [SSHd] Increasing wait time?
Christian Laursen wrote: It is also worth taking a look at the ProxyCommand option. For the case above something like this should be put in ~/.ssh/config: Host your.own.host-tunneled HostKeyAlias your.own.host ProxyCommand ssh [EMAIL PROTECTED] nc your.own.host 22 The you can just do ssh your.own.host-tunneled and go through your.friends.host transparently. I forgot about this one: indeed a beauty ;-) Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Peter Boosten [EMAIL PROTECTED] writes: No, I was more thinking of: ssh -L :your.own.host:22 [EMAIL PROTECTED] and then open a new shell: scp -P the-file-you-want-to-copy [EMAIL PROTECTED]: This works easiest with agent forwarding, but I guess any authentication will do. It is also worth taking a look at the ProxyCommand option. For the case above something like this should be put in ~/.ssh/config: Host your.own.host-tunneled HostKeyAlias your.own.host ProxyCommand ssh [EMAIL PROTECTED] nc your.own.host 22 The you can just do ssh your.own.host-tunneled and go through your.friends.host transparently. -- Christian Laursen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Thursday 08 May 2008 05:50:59 Steve Bertrand wrote:
ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i
into /etc/inetd.conf set a limit of
* 20 overall ssh connections
* 4 connection attempts per minute
* at most 10 connections from a single IP
This works very well on a personal server, not sure how it scales up.
So if I copy over some files via scp, I can lock myself out. Fun stuff ;)
Come on...
The comment was based on a 'personal' server for logins.
How 'bout you explain why SCP would break this so the OP understands...
Otherwise, explain why running an FTP session through one of the
server's SSH tunnels wouldn't be equally viable to running an unlimited
number of SCP sessions over normal TCP ;)
because:
for FILE in */*.[ch]; do scp ${FILE} host:/backup; done
is quicker to write then setup tunnels.
The point is, that there's a difference between failed login attempts and
incoming connections. sshd logs failed login attempts, so it's easy to
seperate them (sysutils/grok) and set the rate limit to an acceptable value,
should one try to hammer the server by simply opening connections.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Hi, On May 7, 2008, at 01:11 , Gilles wrote: Hello I'm a bit tired of people trying to break into SSH: May 6 16:59:23 freebsd sshd[24649]: Invalid user agatha from 195.43.9.246 May 6 16:59:26 freebsd sshd[24651]: Invalid user cristie from 195.43.9.246 May 6 16:59:29 freebsd sshd[24653]: Invalid user number from 195.43.9.246 May 6 16:59:31 freebsd sshd[24655]: Invalid user chamber from 195.43.9.246 etc. Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Is portknocking + firewall considered? There are ways to implement it, some are not complicated. J. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
** At 07:33 +0200 on 05/08/2008, Peter Boosten wrote: Vince Sabio wrote: Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Never thought of port forwarding? Sure, but that would still leave my machines vulnerable to script kiddies. Since I rarely move files between my laptop and my server, the four-step process is not a big deal. If I did it more often, I'd probably cron up a script on the intermediate machine to move (and delete) the files for me. __ Vince Sabio [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Vince Sabio wrote: ** At 07:33 +0200 on 05/08/2008, Peter Boosten wrote: Vince Sabio wrote: Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Never thought of port forwarding? Sure, but that would still leave my machines vulnerable to script kiddies. Huh?!? Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On May 8, 2008, Mel wrote:
because:
for FILE in */*.[ch]; do scp ${FILE} host:/backup; done
is quicker to write then setup tunnels.
How about scp */*.[ch] host:/backup?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On May 8, 2008, Norbert Papke wrote:
On May 8, 2008, Mel wrote:
because:
for FILE in */*.[ch]; do scp ${FILE} host:/backup; done
is quicker to write then setup tunnels.
How about scp */*.[ch] host:/backup?
To answer my own silly question, the above doesn't preserve paths. Anyway, as
always, there is more than one solution. Not every solution fits
universally.
Cheers.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Thu, May 08, 2008 at 07:33:13AM +0200, Peter Boosten wrote: Vince Sabio wrote: Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Never thought of port forwarding? Peter Exactly. Following Peter's idea and assuming that public key authentication is setup, the tunnel could be setup as easy as: ssh -f -L localhost::localhost: [EMAIL PROTECTED] ssh -f -L localhost::localhost:22 [EMAIL PROTECTED] sleep 120 In this case, we setup a tunnel through machineA to machineB. -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Valeriu Mutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Valeriu Mutu wrote: On Thu, May 08, 2008 at 07:33:13AM +0200, Peter Boosten wrote: Vince Sabio wrote: Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Never thought of port forwarding? Peter Exactly. Following Peter's idea and assuming that public key authentication is setup, the tunnel could be setup as easy as: ssh -f -L localhost::localhost: [EMAIL PROTECTED] ssh -f -L localhost::localhost:22 [EMAIL PROTECTED] sleep 120 In this case, we setup a tunnel through machineA to machineB. No, I was more thinking of: ssh -L :your.own.host:22 [EMAIL PROTECTED] and then open a new shell: scp -P the-file-you-want-to-copy [EMAIL PROTECTED]: This works easiest with agent forwarding, but I guess any authentication will do. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Wednesday 07 May 2008 06:16:19 Norbert Papke wrote: On May 6, 2008, Gilles wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? I run sshd via inetd rather than as a stand-alone daemon. inetd provides optional rate limiting functionality. For instance. putting ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i into /etc/inetd.conf set a limit of * 20 overall ssh connections * 4 connection attempts per minute * at most 10 connections from a single IP This works very well on a personal server, not sure how it scales up. So if I copy over some files via scp, I can lock myself out. Fun stuff ;) -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On May 7, 2008, Mel wrote: On Wednesday 07 May 2008 06:16:19 Norbert Papke wrote: On May 6, 2008, Gilles wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? I run sshd via inetd rather than as a stand-alone daemon. inetd provides optional rate limiting functionality. For instance. putting ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i into /etc/inetd.conf set a limit of * 20 overall ssh connections * 4 connection attempts per minute * at most 10 connections from a single IP This works very well on a personal server, not sure how it scales up. So if I copy over some files via scp, I can lock myself out. Fun stuff ;) Absolutely. But the same can happen with any rate limiting solution. However, in practice this has never been an issue for me. First, I tend to copy large sets of files using a single connection. Either 'scp -r' or by running tar/rsync through an ssh tunnel. Second, this kind of limit is enough to discourage script kiddies, but caps my downside risk to an acceptable (to me) one minute lock out. Anyway, it works for me. Cheers, -- Norbert. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i into /etc/inetd.conf set a limit of * 20 overall ssh connections * 4 connection attempts per minute * at most 10 connections from a single IP This works very well on a personal server, not sure how it scales up. So if I copy over some files via scp, I can lock myself out. Fun stuff ;) Come on... The comment was based on a 'personal' server for logins. How 'bout you explain why SCP would break this so the OP understands... Otherwise, explain why running an FTP session through one of the server's SSH tunnels wouldn't be equally viable to running an unlimited number of SCP sessions over normal TCP ;) Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
** At 09:59 -0800 on 05/06/2008, Beech Rintoul wrote: On Tuesday 06 May 2008, David Kelly said: On Tuesday 06 May 2008, Gilles said: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I was doing that in the past, but I found it to be inflexable and sometimes a pain to deal with. I sometimes need to access a server from a new location and that kind of hard lockdown just isn't practical. I had the same problem (i.e., needing to access the server from a new location). In my case, one of the allowed sites is the server of a friend who has provided a shell account for me. When I'm on the road, I just ssh to his machine, and from there I can ssh into any of my machines. His machine effectively does all of the script-kiddie filtering for my site. ;-) Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Remember the wave theory of script kiddies (WARNING: Gross oversimplification ahead): Quantum mechanics says that if you throw yourself against a wall several quintillion times, you'll eventually wave through it without leaving a mark on yourself or the wall.* Similarly, a sufficiently large number of break-in attempts by script kiddies will result in one of them waving straight past all of the security without leaving a scratch. FWIW, I agree with cpghost -- it's strange that an addition as obvious and useful as this isn't already supported. __ Vince Sabio [EMAIL PROTECTED] * As if the first few billion tries didn't already leave some rather noticeable marks on both you AND the wall. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Vince Sabio wrote: Note if you choose to do this: scp'ing files becomes a four-step process (i.e., scp file(s) to intermediate server, log in to intermediate server, scp to destination server, delete file(s) from intermediate server). Still worth it, though. Never thought of port forwarding? Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Tuesday 06 May 2008, Gilles said: Hello I'm a bit tired of people trying to break into SSH: May 6 16:59:23 freebsd sshd[24649]: Invalid user agatha from 195.43.9.246 May 6 16:59:26 freebsd sshd[24651]: Invalid user cristie from 195.43.9.246 May 6 16:59:29 freebsd sshd[24653]: Invalid user number from 195.43.9.246 May 6 16:59:31 freebsd sshd[24655]: Invalid user chamber from 195.43.9.246 etc. Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Thank you. Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Beech -- --- Beech Rintoul - FreeBSD Developer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.FreeBSD.org/releases/7.0R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. -- David Kelly N4HHE, [EMAIL PROTECTED] Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Tuesday 06 May 2008, David Kelly said: On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I was doing that in the past, but I found it to be inflexable and sometimes a pain to deal with. I sometimes need to access a server from a new location and that kind of hard lockdown just isn't practical. The denyhosts solution works very well for me and the RBH feature blocks 9 out of 10 attempts outright. Beech -- --- Beech Rintoul - FreeBSD Developer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.FreeBSD.org/releases/7.0R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
David Kelly wrote: On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I used portsentry several years ago which is a realtime portscan blocker. It would trigger on this type of ssh portscan for sure. One problem is that it blocks using firewall rules, hosts.deny etc... and would have to be actively maintained. Meaning: I cleaned these entries once a week. I am not sure it is ported to BSD either. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Beech Rintoul wrote: On Tuesday 06 May 2008, David Kelly said: On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I was doing that in the past, but I found it to be inflexable and sometimes a pain to deal with. I sometimes need to access a server from a new location and that kind of hard lockdown just isn't practical. The denyhosts solution works very well for me and the RBH feature blocks 9 out of 10 attempts outright. It's quite simple if you're using pf: in your pf.conf: table blacklist persist block in quick on $ext_if proto tcp from blacklist to any\ port 22 label ssh bruteforce pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \ keep state (max-src-conn 15, max-src-conn-rate 5/40, \ overload blacklist flush global) What is does is to check whether more than 15 connections are made from the same IP address, or 5 within 40 seconds. If that happens the offending IP address is put in a dynamic list called blacklist and gets blocked. Works like charm. Another option is sshguard (/usr/ports/security/sshguard) Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On May 6, 2008, at 10:57, Randy Ramsdell wrote: David Kelly wrote: On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I used portsentry several years ago which is a realtime portscan blocker. It would trigger on this type of ssh portscan for sure. One problem is that it blocks using firewall rules, hosts.deny etc... and would have to be actively maintained. Meaning: I cleaned these entries once a week. I am not sure it is ported to BSD either. Another option is to change the port SSH uses to some very unusual port. I do this on all the systems I use and change the port settings in ssh.conf and sshd.conf. This approach works if you don't have lots of users using SSH as it does require some sophistication to work with it. Since I have only 3 people who can use SSH it works great for me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
Doug Hardie wrote: On May 6, 2008, at 10:57, Randy Ramsdell wrote: David Kelly wrote: On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I used portsentry several years ago which is a realtime portscan blocker. It would trigger on this type of ssh portscan for sure. One problem is that it blocks using firewall rules, hosts.deny etc... and would have to be actively maintained. Meaning: I cleaned these entries once a week. I am not sure it is ported to BSD either. Another option is to change the port SSH uses to some very unusual port. I do this on all the systems I use and change the port settings in ssh.conf and sshd.conf. This approach works if you don't have lots of users using SSH as it does require some sophistication to work with it. Since I have only 3 people who can use SSH it works great for me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Yeah this also works well. I just shy away from security through obscurity. However, I also moved ssh to port 40001 or so and monitored SYN packets. I never logged an attempt to log in accept auth'd users. It was never port scanned for ssh specific either. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On Tue, 06 May 2008 19:11:45 +0200 Gilles [EMAIL PROTECTED] wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? It shouldn't be too hard to patch /usr/src/crypto/openssh/sshd.c:server_accept_loop() by adding code for per-IP truncated binary exponential backoff algorithm just before forking a child once a connection is accept(2)ed. It's strange that it hasn't already been done, being such an obvious and useful addition. ;) Thank you. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On May 6, 2008, at 14:24, Randy Ramsdell wrote: Doug Hardie wrote: On May 6, 2008, at 10:57, Randy Ramsdell wrote: David Kelly wrote: On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? Not that I know of. You should look into denyhosts (in the ports) it works well and even has a RBL feature to block some of these script kiddies proactively. Unfortunately, these attempts have become a fact of life. I probably get 20 - 30 attempts a day between my various servers. Depending on how you use ssh from external systems you could add firewall rules to disallow all but known sources. I used portsentry several years ago which is a realtime portscan blocker. It would trigger on this type of ssh portscan for sure. One problem is that it blocks using firewall rules, hosts.deny etc... and would have to be actively maintained. Meaning: I cleaned these entries once a week. I am not sure it is ported to BSD either. Another option is to change the port SSH uses to some very unusual port. I do this on all the systems I use and change the port settings in ssh.conf and sshd.conf. This approach works if you don't have lots of users using SSH as it does require some sophistication to work with it. Since I have only 3 people who can use SSH it works great for me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Yeah this also works well. I just shy away from security through obscurity. However, I also moved ssh to port 40001 or so and monitored SYN packets. I never logged an attempt to log in accept auth'd users. It was never port scanned for ssh specific either. Security by obscurity is not the goal here. If the sshd setup is not secure, it doesn't matter what port you use. Eventually someone will find it. What changing the port does is eliminate the logging of thousands of stupid attempts to break in. You can also raise the logging level in syslog to something above where those are logged but you might miss some important messages that way. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Increasing wait time?
On May 6, 2008, Gilles wrote: Is there a way to configure SSHd, so that the wait time between login attempts increases after X failed tries? I run sshd via inetd rather than as a stand-alone daemon. inetd provides optional rate limiting functionality. For instance. putting ssh stream tcp nowait/20/4/10 root /usr/sbin/sshd sshd -i into /etc/inetd.conf set a limit of * 20 overall ssh connections * 4 connection attempts per minute * at most 10 connections from a single IP This works very well on a personal server, not sure how it scales up. Cheers, -- Norbert. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
