[nycbug-talk] SSH attacks
Steven Kreuzer
skreuzer at exit2shell.com
Wed Sep 10 17:05:40 EDT 2008
Yarema wrote:
> Max Gribov wrote:
>
>> csnyder wrote:
>>
>>> Once again, I find myself wishing there was some way to do this within
>>> sshd itself, rather than rely on a firewall feature.
>>>
>
> sshd does have the MaxStartups config option.
>
>
>> why?.. firewalls are in the kernel, sshd is in the userland - cheaper
>> and safer
>>
>
> But I'm with Max on this one. blocking with the in kernel packet filter
> is way more efficient than relying on the service to handle the load of
> a brute force attack.
>
Its much better to do the filtering in the kernel rather then in
userland simply because you'll save
on the amount of context switching you will need to perform.
It really doesn't make sense to allocate all the resources necessary to
accept an incoming connection
only to have the daemon drop. Its much cheaper to drop the connection as
soon as possible, which
is why doing it in pf is the best solution to this problem in my opinion.
SK
More information about the talk
mailing list