SSH hank attempts��bad?

Andrew McNabb amcnabb at mcnabbs.org
Wed Apr 12 14:18:46 MDT 2006


On Wed, Apr 12, 2006 at 01:07:02PM -0700, Blake B. wrote:
> 
> >It's not uncommon for me to ssh into my own machine 10 or more  times
> >in a 60 second period.  I know people that do twice or thrice that.
> 
> I can see a few scenarios where this would happen (scripts, sync  
> jobs, etc.)  but overall why would you ever need to?  You can easily  
> exclude IPs from the iptables behavior, and/or setup a backdoor SSH  
> daemon on a different port.
> And generally if you're the only person using the system then keeping
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> SSH on port 22 isn't really a concern.

Obviously, if someone is looking at a system that only they use, they
should describe their usage patterns and do what works best for them.
Connection limiting may be the best option.

However, when a number of people are using a system, this can be
problematic.  For example, BYU OIT set up a campus-wide system that
blocked connections to a host after something like five connections per
minute.  A number of people in the CS department were affected by this.
OIT's response was to increase the limit, but people still occasionally
hit it.  The fact of the matter is that some legitimate users will
occasionally connect at a faster rate than the attackers.


-- 
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20060412/6f4de58c/attachment.bin 


More information about the PLUG mailing list