In the meantime (while things are being worked and decided on on the

OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources.  In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
   So here we are, rate-limiting.  The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
   More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least.  This is, essentially, a
stopgap solution;  however, it is a properly implemented and documented
one, and has an easily modifiable framework.

1 files changed, 8 insertions, 5 deletions

diff --git a/security/openssh/files/patch-ao b/security/openssh/files/patch-ao
index 3e8278e2a5c4..7ca746e1fb3a 100644
--- a/security/openssh/files/patch-ao
+++ b/security/openssh/files/patch-ao
@@ -1,6 +1,6 @@
 --- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd_config	Thu Nov 11 17:58:39 1999
-+++ ./sshd_config	Tue Nov 23 19:31:58 1999
-@@ -3,11 +3,11 @@
++++ sshd_config	Sun Dec  5 13:37:20 1999
+@@ -2,12 +2,13 @@
  
  Port 22
  ListenAddress 0.0.0.0
@@ -8,10 +8,13 @@
 +HostKey __PREFIX__/etc/ssh_host_key
  ServerKeyBits 768
 -LoginGraceTime 600
-+LoginGraceTime 30
++LoginGraceTime 60
  KeyRegenerationInterval 3600
 -PermitRootLogin yes
-+PermitRootLogin no 
- #
+-#
++PermitRootLogin no
++# Rate-limit sshd connections to 5 connections per 10 seconds
++ConnectionsPerPeriod 5/10
  # Don't read ~/.rhosts and ~/.shosts files
  IgnoreRhosts yes
+ # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication