[clue-admin] More server security stuff
David Anselmi
anselmi at anselmi.us
Sun Mar 27 12:59:34 MST 2005
Jed S. Baer wrote:
[...]
> service ssh
> {
> socket_type = stream
> wait = no
> user = root
> server = /usr/sbin/sshd
> #It's not listed in my /etc/services
> port = 22
> server_args = -i
> log_on_failure = ATTEMPT HOST RECORD
> # begin "throttling" section
> instances = 10 # max instances of the server
> per_source = 3 # max per IP address
> cps = 10 30 # connections per second, reset after 30
> access_times = 06:00-23:59 00:00-01:00
> }
>
> My concern is that the script kiddies or crackers can succeed in shutting
> down legitimate access to the machine by continuing to beat on sshd.
Then you need to boost instances (perhaps to 30 or 60). Right now they
seem to need 4 different IPs doing the beating. 30 would mean they'd
need 10.
> I found no xinetd options which specifically limit, as Greg's quote put it
> "consecutive connections per host".
That's what per_source does, doesn't it?
I guess that with the above you'll still see log entries. I moved my
SSH servers off port 22 and they haven't been scanned since (Jafo's
idea, not mine).
Dave
More information about the clue-admin
mailing list