Home / server / Questions / 238163
In Process
dynamic
Asked: 2011-02-22 04:39:20 +0800 CST

sshd_config adding a delay between login attempts?

  • 772

Is there a configuration for this without installing 3rd party software?

linux debian ssh

2 Answers

  1. You can do rate-limiting easily with iptables, and this can be done without giving the machine a full firewall.

    The code is

    # rate-limit connections to sshd
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset

    which will only allow two connections from any given IP address, in a rolling 60-second window. You will need to be careful to put these rules in the right place in your INPUT chain.

    See my writeup for more information, if you're interested.

    • 6

  2. No, not that I know of. There is no such thing with openssh.

    What you have is 

    MaxStartups
    Specifies the maximum number of concurrent unauthenticated connections 
    to the SSH daemon.  Additional connections will be dropped until authentication 
    succeeds or the LoginGraceTime expires for a connection. The default is 10.

    But I don't think this is what you were looking for.

    • 0