SSH login takes very long time...sometimes
David Malone
dwmalone at maths.tcd.ie
Thu Feb 16 13:25:02 PST 2006
> Just a thought, wouldn't this open a new possibility for denial of
> service attacks?
I doubt it. I'm guessing you're thinking of an attack where someone
makes many connections to sshd in a short time and runs you out of
processes? I think you can protect against this with the MaxStartups
directive in sshd_config. The amount of time that an attacker has
to open many connections is probably not that important, as you can
open a lot of TCP connections in 1 second even with a small link.
> Last year I already had to decrease the LoginGraceTime from 120 to 30
> seconds on my production boxes, but it didn't help much, so on top of
> that I got to implement (reinvent the wheel again) a script tailing the
> auth.log and firewalling bad gyus in order to secure sshd and let my
> legitimate users in.
Are you trying to prevent the ssh scanners that just try well-known
combinations of usernames and passwords? It is not clear that you
gain much by firewalling these off, other than having fewer log
messages.
> I really miss the inetd features. A setting like "nowait/100/20/5"
> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]])
> would effectively bounce the bad guys, but AFAIK (correct me if I'm
> wrong), ssh is no longer supposed to work via inetd and still has no
> such capabilities.
You can still run sshd through inetd (or, at least, the -i option
is still documented in the sshd man page). If does suggest that you
may need to reduce the key size to make this practical (increasing
LoginGraceTime here may help too ;-)
David.
More information about the freebsd-stable
mailing list