1 |
On Wed, Feb 27, 2008 at 10:39:15PM +0100, Penguin Lover Anno v. Heimburg squawked: |
2 |
> It limits the number of new connections on each port in |
3 |
> INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT |
4 |
> within INPUT_LIMITER_TIME. |
5 |
|
6 |
My experience suggests that finding the right INPUT_LIMITER_TIME would |
7 |
be difficult. From my experience (by reading the logs after I cobbled |
8 |
together a patch work solution to blacklist hosts), the typical |
9 |
behaviour of a sshd bruteforce attack, after you start dropping |
10 |
packets from it, is that it will begin to add a geometrically |
11 |
increasing sleep time between attempts and continue for about 30 |
12 |
minutes to an hour. So if your time parameter is on the order of |
13 |
several seconds, the attack will be like |
14 |
|
15 |
try, try, try, doh! connection timed out, wait a bit, try again, |
16 |
doh! still timed out, wait a bit longer, hey it works now, try, try |
17 |
, doh! time out again |
18 |
|
19 |
rinse and repeat. |
20 |
|
21 |
But if you set the time parameter to minutes or tens of minutes, then |
22 |
you risk banning yourself if you need multiple instances of ssh. (Yes, |
23 |
screen is nice, but sometimes I like to keep two terminals open. And |
24 |
there's always the case of "saving work, quitting, logging out; doh! |
25 |
forgot to do something, log back in again" scenario.) |
26 |
|
27 |
W |
28 |
-- |
29 |
When a clock is hungry it goes back four seconds. |
30 |
Sortir en Pantoufles: up 447 days, 14:54 |
31 |
-- |
32 |
gentoo-user@l.g.o mailing list |