Re: DenyHosts

To: debian-user@lists.debian.org
Subject: Re: DenyHosts
From: Christian Seiler <christian@iwakd.de>
Date: Sun, 17 Jan 2016 14:07:18 +0100
Message-id: <[🔎] 569B9206.1000709@iwakd.de>
In-reply-to: <[🔎] 20160116125730.c046d3c4e2cca4a07564a5ab@gmail.com>
References: <[🔎] vapi9b9ifknfu2rdddiu2lq35nqrdqmqop@4ax.com> <[🔎] 20160116015538.0d9f3ac269af947e278d7696@gmail.com> <[🔎] eekj9bhpmen1fu7j9lm0lk9c6s9i5dttq2@4ax.com> <[🔎] 20160116125730.c046d3c4e2cca4a07564a5ab@gmail.com>

On 01/16/2016 10:57 AM, Reco wrote:
> - anyone can connect up to 16 times via ssh.
> - anyone exceeding the connection limit is tarpitted, and must wait
> for an hour to try again.

Note that while this may be adequate for your use case, I would
caution that 16 connections / hour can easily (!) be exceeded
by regular SSH usage.

If you have pubkey authentication (with an agent that remembers
the key's passphrase) and have command line completion on the
shell that also works with SSH, tabbing through scp options can
easily produce more than 16 new SSH connections within a few
minutes only.

Example:

scp host:/srv/d<TAB>
scp host:/srv/data/w<TAB>
scp host:/srv/data/website/ex<TAB>
scp host:/srv/data/website/example.com/...
 (you get the picture)

On my system with something like that I got more than 5 new
SSH connections within just a few seconds - and while most
shell completion implementations cache this data to a certain
extent, 16 / hour seems really low for such a use case.

Also, if you use modern desktop environments (e.g. GNOME, KDE),
they can directly access e.g. SFTP from many programs (such as
text editors etc.) - but those may close connections when they
are idle for a time and re-open them - so directly editing a
file via SFTP from a program might lead to a LOT of new SSH
connections over the course of a short period of time.

As I said: for your use case this might not be relevant, so I
don't want to say that the solution presented here is wrong,
it will be perfectly fine for a good many situations; I just
wanted to illustrate that there are legitimate use cases where
it is possible to exceed that limit easily. Obviously, you
could increase the limit by a bit - because even if you allow
let's say 10000 connections per hour and IP, that would still
make brute force rather difficult... OTOH, I haven't put any
thought into the best trade-off between security and usability
here, and I just made up the number 10000, so please don't
just use that number unconditionally either.

Regards,
Christian

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: DenyHosts
  - From: Igor Cicimov <icicimov@gmail.com>

References:
- DenyHosts
  - From: Steve Matzura <sm@noisynotes.com>
- Re: DenyHosts
  - From: Reco <recoverym4n@gmail.com>
- Re: DenyHosts
  - From: Steve Matzura <number6@noisynotes.com>
- Re: DenyHosts
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: eagle-lin64-7.5.0.run, won't
Next by Date: Re: eagle-lin64-7.5.0.run, won't
Previous by thread: Re: DenyHosts
Next by thread: Re: DenyHosts
Index(es):
- Date
- Thread