connection rate limitation for sshd - is it possible ?

Oliver Fromme olli at lurza.secnetix.de
Thu Apr 6 11:33:52 UTC 2006


This is off-topic (not amd64-related),
and you hijacked another thread, but anyway ...

xdavid at svinew.natur.cuni.cz wrote:
 > please, is there a way to limit the number of connections to openssh 
 > daemon per time period per source ip address ? I am using this on linux 
 > boxes with iptables, but couldn't figure out how to do this with IPF on 
 > FreeBSD. If it is not possible, is there another way how to do this ? Or 
 > do you think it is (un)wise to run sshd under inetd with "-C" switch or 
 > "max-connections-per-ip-per-minute" parameter ?

It is unwise, because sshd has to generate the server key
each time it is started -- if started from inetd, that
would be each time a client connection is accepted.

Please read the description of the "-i" option in the sshd
manpage.  It explains it pretty well.

Maybe using "MaxStartups" in your sshd_config would be a
better solution (refer to the manpage for details).

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"If you think C++ is not overly complicated, just what is a protected
abstract virtual base pure virtual private destructor, and when was the
last time you needed one?"
        -- Tom Cargil, C++ Journal


More information about the freebsd-amd64 mailing list