Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #36691

Re: Is It Time To Replace SSH ???

From Pancho <Pancho.Jones@proton.me>
Newsgroups comp.os.linux.misc
Subject Re: Is It Time To Replace SSH ???
Date 2023-01-14 14:04 +0000
Organization A noiseless patient Spider
Message-ID <tpucps$1vma7$1@dont-email.me> (permalink)
References (3 earlier) <tpl19c$dad$1@reader2.panix.com> <tpsi0p$2hr0f$1@news.xmission.com> <tpso0h$1nmcm$1@dont-email.me> <tpu2q6$1uib1$1@dont-email.me> <wwvcz7he452.fsf@LkoBDZeT.terraraq.uk>

Show all headers | View raw

On 14/01/2023 11:39, Richard Kettlewell wrote:
> Pancho <Pancho.Jones@proton.me> writes:
>> fail2ban seems more suited to preventing attempts at password
>> cracking. A simple connection attempt rate limiter would be enough to
>> prevent high cpu from SSH negotiations. Even then, when using a good
>> authentication technique, public key rather than password, fail2ban
>> seems unnecessary, a simple connection attempt rate limiter should be
>> enough, without the downside of locking yourself out.
> 
> A rate limiter already exists in OpenSSH, and is on by default. Look for
> MaxStartups in ‘man sshd_config’. However, the rate it limits is _all_
> connections: even if you disable password authentication, each
> connection which attempts to use password authentication still
> counts. So with the current implementation you still end up deploying
> something like fail2ban to block persistent probers.
> 

Ok, maybe I'm missing something. There are a couple of bad things that I 
can see happening. Firstly, persistent bad connection attempts may 
consume CPU and other system resources. Secondly, multiple bad 
connection attempts may crack a password.

With the OpenSSH rate limiter, I presume the maximum CPU/resource cost 
is low, not worth worrying about. Particularly in typical servers (my 
servers) which have a low expected rate of ssh connections, so the rate 
limit can be strict. Without passwords, there isn't a crack risk.

So what problem does fail2ban solve? Particularly as DDOS attacks will 
get around it.

Back to comp.os.linux.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-15 01:52 -0500
  Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-15 08:39 +0000
    Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-15 10:09 +0000
      Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-15 18:33 -0500
        Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:19 +0000
          Re: Is It Time To Replace SSH ??? Roger Blake <rogblake@iname.invalid> - 2022-12-19 00:12 +0000
            Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:05 +0000
      Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-16 18:21 +0000
        Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-17 07:03 +0000
        Re: Is It Time To Replace SSH ??? Pancho <Pancho.Jones@proton.me> - 2022-12-19 15:46 +0000
          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 16:30 +0000
            Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:27 +0000
          Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:10 +0000
            Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:26 +0000
    Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-16 00:11 -0500
      Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-16 09:11 +0100
      Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:22 +0000
      Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-16 18:26 +0000
  Re: Is It Time To Replace SSH ??? Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2022-12-15 14:55 +0000
    Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-16 00:16 -0500
      Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:26 +0000
        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-17 20:49 -0500
      Re: Is It Time To Replace SSH ??? Popping Mad <rainbow@colition.gov> - 2022-12-26 19:45 -0500
        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-27 23:32 -0500
  Re: Is It Time To Replace SSH ??? Marco Moock <mo01@posteo.de> - 2022-12-15 18:03 +0100
    Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-15 18:36 -0500
      Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-16 00:28 -0500
        Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-16 01:33 -0500
          Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-17 02:08 -0500
            Re: Is It Time To Replace SSH ??? Rich <rich@example.invalid> - 2022-12-17 14:21 +0000
              Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-28 01:23 -0500
                Re: Is It Time To Replace SSH ??? not@telling.you.invalid (Computer Nerd Kev) - 2022-12-29 07:37 +1000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-29 00:02 -0500
                Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-29 01:33 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-29 21:06 -0500
                Re: Is It Time To Replace SSH ??? Robert Riches <spamtrap42@jacob21819.net> - 2022-12-30 04:16 +0000
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-30 14:33 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 00:23 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 00:12 -0500
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-30 14:31 +0000
                Re: Is It Time To Replace SSH ??? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2022-12-30 19:09 +0000
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-30 20:38 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 00:32 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 01:00 -0500
                Re: Is It Time To Replace SSH ??? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2022-12-31 20:14 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2023-01-01 00:17 -0500
        Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:21 +0000
      Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:20 +0000
        Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-16 10:30 +0100
          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:38 +0000
            Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-16 18:29 +0000
              Re: Is It Time To Replace SSH ??? Marc Haber <mh+usenetspam1118@zugschl.us> - 2022-12-16 21:44 +0100
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-17 07:05 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-17 02:31 -0500
                Re: Is It Time To Replace SSH ??? Robert Heller <heller@deepsoft.com> - 2022-12-17 12:59 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 00:22 -0500
                Re: Is It Time To Replace SSH ??? Computer Nerd Kev <not@telling.you.invalid> - 2022-12-19 17:50 +1000
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-19 10:13 +0000
                Re: Is It Time To Replace SSH ??? Rich <rich@example.invalid> - 2022-12-17 14:25 +0000
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-18 00:51 +0100
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-18 11:16 +0000
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-18 12:02 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-18 20:57 -0500
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-19 10:05 +0000
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-19 12:24 +0100
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:08 +0000
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:24 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-20 22:57 -0500
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-21 09:35 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-24 21:29 -0500
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-28 09:06 +0000
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:18 +0000
                Re: Is It Time To Replace SSH ??? Marc Haber <mh+usenetspam1118@zugschl.us> - 2022-12-18 14:21 +0100
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-18 21:08 -0500
                Re: Is It Time To Replace SSH ??? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-19 00:30 -0500
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:26 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 22:17 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 21:40 -0500
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-19 12:27 +0100
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 21:46 -0500
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-17 08:58 +0000
                Re: Is It Time To Replace SSH ??? Ted Heise <theise@panix.com> - 2022-12-20 14:24 +0000
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 16:14 +0000
                Re: Is It Time To Replace SSH ??? Ted Heise <theise@panix.com> - 2022-12-20 20:58 +0000
          Re: Is It Time To Replace SSH ??? not@telling.you.invalid (Computer Nerd Kev) - 2022-12-17 07:58 +1000
          Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-16 21:24 -0500
            Re: Is It Time To Replace SSH ??? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-17 02:03 -0500
              Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-17 03:47 -0500
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-17 12:43 +0100
                Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-17 20:13 -0500
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-18 23:35 +0100
                Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-18 18:47 -0500
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-19 00:59 +0100
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-29 00:32 -0500
                Re: Is It Time To Replace SSH ??? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-17 10:30 -0500
                Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-17 20:20 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-23 22:36 -0500
                Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-23 23:26 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:14 -0500
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-26 20:01 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 16:59 -0500
                Re: Is It Time To Replace SSH ??? Computer Nerd Kev <not@telling.you.invalid> - 2022-12-24 14:37 +1000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:44 -0500
                Re: Is It Time To Replace SSH ??? not@telling.you.invalid (Computer Nerd Kev) - 2022-12-27 08:33 +1000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 17:58 -0500
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:51 -0500
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-24 13:49 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:29 -0500
              Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-17 12:41 +0100
  Re: Is It Time To Replace SSH ??? Popping Mad <rainbow@colition.gov> - 2022-12-26 19:41 -0500
    Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-27 00:20 -0500
      Re: Is It Time To Replace SSH ??? Popping Mad <rainbow@colition.gov> - 2023-01-10 19:52 -0500
        Re: Is It Time To Replace SSH ??? gazelle@shell.xmission.com (Kenny McCormack) - 2023-01-13 21:21 +0000
          Re: Is It Time To Replace SSH ??? Rich <rich@example.invalid> - 2023-01-13 23:03 +0000
            Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2023-01-13 21:48 -0500
            Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 03:39 +0000
            Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2023-01-14 10:40 +0000
            Re: Is It Time To Replace SSH ??? Pancho <Pancho.Jones@proton.me> - 2023-01-14 11:14 +0000
              Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2023-01-14 11:39 +0000
                Re: Is It Time To Replace SSH ??? Pancho <Pancho.Jones@proton.me> - 2023-01-14 14:04 +0000
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2023-01-14 14:28 +0000
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 15:26 +0000
          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 03:38 +0000
            Re: Is It Time To Replace SSH ??? "26C.Z968" <26C.Z968@noaada.net> - 2023-01-14 01:47 -0500
              Re: Is It Time To Replace SSH ??? Dan Espen <dan1espen@gmail.com> - 2023-01-14 11:24 -0500
                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 16:57 +0000

csiph-web