Rate Limit Unauthenticated connections ?
Darryl L. Miles
darryl at netbauds.net
Sat Jun 25 03:22:50 EST 2005
Damien Miller wrote:
> Darryl L. Miles wrote:
>
>> I am seeing a recent increase in SSH harvesting attempts and brute
>> forcing in the log of my system.
>
> Please look at the archives for past discussion on this, and also at
> sshd_config's MaxStartups directive (which probably does what you want
> already).
This option is great and necessary but has a different purpose. It
serves to stop an attacker from bringing down the host by way of DoS.
It does nothing to assist legitimate users from using the service when
its under trivial attack, it does nothing to deter the attacker from
using that method of harvesting crackable hosts in the first place.
MaxStartups - Hard ceiling limit (for all users alike, to protect the host)
Personally I run SSH on two ports, from two instances on many of my
hosts. All critical use of SSH (backups, data-tunneling) takes place on
this alternative port number. On many hosts this alternative port
number also has a firewall rule in place (iptables) that returns
Connection Refused for unknown IPs, so its not DoSable. This two port
approach has also helped during SSH server upgrades of remote hosts.
I want to protect legitimate users but obstruct abusive users and at the
same time completely destroy ssh login brute forcing as a useful method
of gaining entry by returning false negatives during authentication.
MaxStartups allows a single abusive user from dial-up to obstruct
legitimate users.
I shall as you suggest check out the previous discussions on the list to
see what was aired. A starting URL or subject would be handy.
Thanks
Darryl
More information about the openssh-unix-dev
mailing list