RE: question about ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I missed part of the thread here so forgive a 'doh' response..  

Another possibility to this could be putting the sshd under the xinetd
service.  

Then you could limit connections with 'cps'. The value below would allow
25 connections per second but anything over that would disable the
service for 30 seconds. 

cps = 25 30 

These are also valid variables; 

access_times = 8:00-18:00
per_source = 3 (max allowed connections per source address)

www.linuxtech.cc

-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Robert P. J. Day
Sent: Thursday, December 30, 2004 11:35 AM
To: For users of Fedora Core releases
Subject: Re: question about ssh

On Thu, 30 Dec 2004, Dario Lesca wrote:

> Il gio, 2004-12-30 alle 14:30, Steven Stern ha scritto:
> > On Thu, 30 Dec 2004 21:19:35 +0800, chi <chi@xxxxxxxxxxxxxxxxxx>
wrote:
>
> > I did three things.
> > ...
>
> .. and via iptables?
>
> it is possible allow only 2 or 3 access every 5/10 minutes with
> --limit-burst option?

you're being kind of vague here.  is it 2 or 3?  is it every 5 or 10
minutes?

once upon a time, i figured out how the whole "--limit" and
"limit-burst" thing worked, and the man page really makes it more
complicated than it has to be.

consider an example involving both of:

	--limit 5/minute
	--limit-burst 10

think of the above as follows:  you start with a bucket (for you
statisticians, that would be "urn") with 10 tokens.  every time you
get an arrival that you're limiting, you pay for it with a token out
of the urn.  5 times per minute (every 12 seconds), a token is dropped
into the bucket for you to regularly replenish your supply.  but the
limit-burst means you are never allowed to hold more than 10 tokens at
a time.

so how does a burst affect this?  if you suddenly get whacked hard
with lots of packets, you have enough tokens to allow the first 10,
after which you reject all the rest except for one every 12 seconds,
when you get a new token in the urn, and you use that new token almost
immediately if you're getting lots of traffic.

only when things slow down do you get the chance to start gradually
building up your stock of tokens in the urn (again, up to a maximum of
10).

rday

p.s.  hmmm ... i just checked the iptables man page and, strangely, it
seems to follow the above explanation a lot more closely than it used
to.  how odd.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list


This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux