--On Tuesday, July 28, 2009 11:38:41 AM -0500 Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> The master sshd knows which connections have authenticated successfully, > and which have not. IMO this makes the master sshd the best place to > put any logic such as "no more than N/s connections with unsuccessful > authentication from any remote IP" and so on. It's the best place to decide which things to block, but not the best place to do the blocking -- you want to arrange to drop packets from those hosts entirely, rather than letting them consume resources and explore an attack surface in sshd. Also, typically sysadmins deal with things like this by writing tools to process the logs, decide which peers are being unhappy, and then block traffic from them. They don't do it by adding lots of new code to the SSH server and rebuilding it from source. -- Jeff
