We have many many outside sources that vary unpredictably, and we have no
control (or knowledge) over that. An alternative is to set up a bastion
host, but that will break a lot of file transfers and require painful
changes and new infrastructure. We may do that eventually.


At 09:37 AM 5/26/2006, David Swafford wrote:
>Hi Hermit921,
>Have you thought about using an access control list instead for the ssh
>connection? I am not deeply familiar with the PIX yet but I know on Cisco
>routers you can setup an access list that defines what source IPs are
>allowed to telnet into the box. I'm thinking functionality like this
>would be something that you might find on the PIX for ssh. On IOS routers
>it is configured slightly differently than a standard access list in that
>you configure it at the virtual interface I believe. I'm thinking that
>you might cause yourself some problems by limited the attempts as this
>might prevent you from accessing the box.
>Anyone else have any thoughts on this?
>David A. Swafford
>Archbishop Alter High School
>Information Technology Team, Network Engineer
>A Cisco CCNA and a CompTIA Network+ and Security+ Certified Professional
> >>> hermit921@yahoo.com 5/26/2006 11:07 am >>>

>Can we set our PIX firewall to limit the rate at which ssh connection
>attempts are allowed? I would like to set it so that ssh is limited to 2
>connections per minute for any source/destination pair. Does this cause
>much impact on the PIX?

firewall-wizards mailing list