connection rate limitation for sshd - is it possible ?
xdavid at lib-eth.natur.cuni.cz
xdavid at lib-eth.natur.cuni.cz
Fri Apr 7 09:54:53 UTC 2006
> This is off-topic (not amd64-related),
> and you hijacked another thread, but anyway ...
The original question was how to set sthg with IPF on my AMD64 box, so I
thought it is amd64-related, sorry for my missunderstanding of the purpose
of this list.
> > please, is there a way to limit the number of connections to openssh
> > daemon per time period per source ip address ? I am using this on linux
> > boxes with iptables, but couldn't figure out how to do this with IPF on
> > FreeBSD. If it is not possible, is there another way how to do this ? Or
> > do you think it is (un)wise to run sshd under inetd with "-C" switch or
> > "max-connections-per-ip-per-minute" parameter ?
>
> It is unwise, because sshd has to generate the server key
> each time it is started -- if started from inetd, that
> would be each time a client connection is accepted.
Thank you for giving me good reasons not to do it.
> Maybe using "MaxStartups" in your sshd_config would be a
> better solution (refer to the manpage for details).
The problem is it does not track source IPs so there is a DOS risk. I got
another advice how to set up PF, so I'll play with, but as the short term
solution I probably use inetd while there are only a few people using sshd
on that machine now and more users will be added later.
Best Regards,
David
More information about the freebsd-amd64
mailing list