To protect against DoS, is there any easy way of requiring that three packets be transferred in an SSH connection before it triggers a recent update? Since someone spoofing source IPs to DoS would be unlikely to continue the connection with the server, such DoS attacks might be foiled more effectively this way than using rttl (which the attacker can just exhaustively try all values for).
(I've not responded to these posts b/c I don't have the needed resources in my kernel (and I'm not running modules) and I have not had the time to recompile for my Cobalt (non standard kernel & boot process).) I think it would be vary easy to use the connbytes module to test for the number of packets or the amount of data that has been transfered in any given connection. In fact this is how I was going to determine on the packet level that an SSH connection was good and assume that the user had successfully logged in. If any given connection has transfered x number of bytes or y number of packets then I'll assume (on the network layer) that they have successfully logged in on the application layer and that they are a valid user. Grant. . . .
