Re: DenyHosts

To: Christian Seiler <christian@iwakd.de>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: DenyHosts
From: Igor Cicimov <icicimov@gmail.com>
Date: Mon, 18 Jan 2016 00:31:18 +1100
Message-id: <[🔎] CAAKASGwHmaHQtvDUYparrm4etaM6rifoL8D5+o3GS6fOnJwj9g@mail.gmail.com>
In-reply-to: <[🔎] 569B9206.1000709@iwakd.de>
References: <[🔎] vapi9b9ifknfu2rdddiu2lq35nqrdqmqop@4ax.com> <[🔎] 20160116015538.0d9f3ac269af947e278d7696@gmail.com> <[🔎] eekj9bhpmen1fu7j9lm0lk9c6s9i5dttq2@4ax.com> <[🔎] 20160116125730.c046d3c4e2cca4a07564a5ab@gmail.com> <[🔎] 569B9206.1000709@iwakd.de>

On 18/01/2016 12:08 AM, "Christian Seiler" <christian@iwakd.de> wrote:
>
> On 01/16/2016 10:57 AM, Reco wrote:
> > - anyone can connect up to 16 times via ssh.
> > - anyone exceeding the connection limit is tarpitted, and must wait
> > for an hour to try again.
>
> Note that while this may be adequate for your use case, I would
> caution that 16 connections / hour can easily (!) be exceeded
> by regular SSH usage.
>
> If you have pubkey authentication (with an agent that remembers
> the key's passphrase) and have command line completion on the
> shell that also works with SSH, tabbing through scp options can
> easily produce more than 16 new SSH connections within a few
> minutes only.
>
> Example:
>
> scp host:/srv/d<TAB>
> scp host:/srv/data/w<TAB>
> scp host:/srv/data/website/ex<TAB>
> scp host:/srv/data/website/example.com/...
> (you get the picture)
>
> On my system with something like that I got more than 5 new
> SSH connections within just a few seconds - and while most
> shell completion implementations cache this data to a certain
> extent, 16 / hour seems really low for such a use case.
>

Or just use multiplexing and not worry about it
https://en.m.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing

> Also, if you use modern desktop environments (e.g. GNOME, KDE),
> they can directly access e.g. SFTP from many programs (such as
> text editors etc.) - but those may close connections when they
> are idle for a time and re-open them - so directly editing a
> file via SFTP from a program might lead to a LOT of new SSH
> connections over the course of a short period of time.
>
> As I said: for your use case this might not be relevant, so I
> don't want to say that the solution presented here is wrong,
> it will be perfectly fine for a good many situations; I just
> wanted to illustrate that there are legitimate use cases where
> it is possible to exceed that limit easily. Obviously, you
> could increase the limit by a bit - because even if you allow
> let's say 10000 connections per hour and IP, that would still
> make brute force rather difficult... OTOH, I haven't put any
> thought into the best trade-off between security and usability
> here, and I just made up the number 10000, so please don't
> just use that number unconditionally either.
>
> Regards,
> Christian
>

Reply to:

Follow-Ups:
- Re: DenyHosts
  - From: Moreanu Robert - Nicolae <robertmoreanu@gmail.com>

References:
- DenyHosts
  - From: Steve Matzura <sm@noisynotes.com>
- Re: DenyHosts
  - From: Reco <recoverym4n@gmail.com>
- Re: DenyHosts
  - From: Steve Matzura <number6@noisynotes.com>
- Re: DenyHosts
  - From: Reco <recoverym4n@gmail.com>
- Re: DenyHosts
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: eagle-lin64-7.5.0.run, won't
Next by Date: Re: DenyHosts
Previous by thread: Re: DenyHosts
Next by thread: Re: DenyHosts
Index(es):
- Date
- Thread