| 1 |
On Wed, Feb 27, 2008 at 10:39:15PM +0100, Penguin Lover Anno v. Heimburg squawked: |
| 2 |
> It limits the number of new connections on each port in |
| 3 |
> INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT |
| 4 |
> within INPUT_LIMITER_TIME. |
| 5 |
|
| 6 |
My experience suggests that finding the right INPUT_LIMITER_TIME would |
| 7 |
be difficult. From my experience (by reading the logs after I cobbled |
| 8 |
together a patch work solution to blacklist hosts), the typical |
| 9 |
behaviour of a sshd bruteforce attack, after you start dropping |
| 10 |
packets from it, is that it will begin to add a geometrically |
| 11 |
increasing sleep time between attempts and continue for about 30 |
| 12 |
minutes to an hour. So if your time parameter is on the order of |
| 13 |
several seconds, the attack will be like |
| 14 |
|
| 15 |
try, try, try, doh! connection timed out, wait a bit, try again, |
| 16 |
doh! still timed out, wait a bit longer, hey it works now, try, try |
| 17 |
, doh! time out again |
| 18 |
|
| 19 |
rinse and repeat. |
| 20 |
|
| 21 |
But if you set the time parameter to minutes or tens of minutes, then |
| 22 |
you risk banning yourself if you need multiple instances of ssh. (Yes, |
| 23 |
screen is nice, but sometimes I like to keep two terminals open. And |
| 24 |
there's always the case of "saving work, quitting, logging out; doh! |
| 25 |
forgot to do something, log back in again" scenario.) |
| 26 |
|
| 27 |
W |
| 28 |
-- |
| 29 |
When a clock is hungry it goes back four seconds. |
| 30 |
Sortir en Pantoufles: up 447 days, 14:54 |
| 31 |
-- |
| 32 |
gentoo-user@l.g.o mailing list |
Archives