Re: [fw-wiz] cisco ssh rate limit

We have many many outside sources that vary unpredictably, and we have no
control (or knowledge) over that. An alternative is to set up a bastion
host, but that will break a lot of file transfers and require painful
changes and new infrastructure. We may do that eventually.

hermit921


At 09:37 AM 5/26/2006, David Swafford wrote:
Hi Hermit921,

Have you thought about using an access control list instead for the ssh
connection? I am not deeply familiar with the PIX yet but I know on Cisco
routers you can setup an access list that defines what source IPs are
allowed to telnet into the box. I'm thinking functionality like this
would be something that you might find on the PIX for ssh. On IOS routers
it is configured slightly differently than a standard access list in that
you configure it at the virtual interface I believe. I'm thinking that
you might cause yourself some problems by limited the attempts as this
might prevent you from accessing the box.

Anyone else have any thoughts on this?

David A. Swafford
Archbishop Alter High School
Information Technology Team, Network Engineer

A Cisco CCNA and a CompTIA Network+ and Security+ Certified Professional


hermit921@xxxxxxxxx 5/26/2006 11:07 am >>>
Can we set our PIX firewall to limit the rate at which ssh connection
attempts are allowed? I would like to set it so that ssh is limited to 2
connections per minute for any source/destination pair. Does this cause
much impact on the PIX?

hermit921


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages