SSH login takes very long time...sometimes
Atanas
atanas at asd.aplus.net
Thu Feb 16 17:43:23 PST 2006
David Malone said the following on 02/16/06 13:24:
>> Just a thought, wouldn't this open a new possibility for denial of
>> service attacks?
>
> I doubt it. I'm guessing you're thinking of an attack where someone
> makes many connections to sshd in a short time and runs you out of
> processes? I think you can protect against this with the MaxStartups
> directive in sshd_config. The amount of time that an attacker has
> to open many connections is probably not that important, as you can
> open a lot of TCP connections in 1 second even with a small link.
>
These were different types of attacks, primarily originating from single
IP addresses:
1. Dictionary attacks taking as much concurrent unauthenticated
connections as possible and with speeds as fast as the server can
respond. These were happening like a few up to several times a day,
sometimes lasting hours.
2. Time based attacks taking again all of the available MaxStartups, but
then doing nothing until the LoginGraceTime expires, then again, etc.
These were not so frequent, but had the worst impact on the ssh
availability.
3. Network scans on machines hosting some hundreds (or in some cases
thousands) of IP addresses, causing outages lasting just a few minutes
or so.
>> Last year I already had to decrease the LoginGraceTime from 120 to 30
>> seconds on my production boxes, but it didn't help much, so on top of
>> that I got to implement (reinvent the wheel again) a script tailing the
>> auth.log and firewalling bad gyus in order to secure sshd and let my
>> legitimate users in.
>
> Are you trying to prevent the ssh scanners that just try well-known
> combinations of usernames and passwords? It is not clear that you
> gain much by firewalling these off, other than having fewer log
> messages.
>
All of the above three. It wasn't just a matter of too much log
messages. The type 1. for instance, besides the ssh unavailability, and
depending on the MaxStartups setting, can bring a server to its knees by
dedicating all of its available resources for bouncing unauthenticated
ssh requests.
I tried setting a 'limit' ipfw firewall rule, something like:
ipfw add allow tcp from any to any 22 in setup limit src-addr 5
I already had success with such a rule for a first level SMTP DoS
protection before sendmail got its per-client and rate connection limits
built in (since 8.13.0), and still keep that on, just in case.
But unlike sendmail, ssh instances when hammered with bogus requests are
way more CPU intensive. I couldn't afford limiting the ssh connectivity
to just one single session per client IP (someone might need multiple
ssh sessions while working on something, right?), and in case of
multiple sessions enabled, machines would be still vulnerable to CPU
overload (i.e. bouncing tons of useless ssh authentication attempts).
So the best option for me was to implement a log analyzer script placing
temporary blocks on the firewall when necessary. Like after 5 "Illegal
user" or "Failed password for" or "Did not receive identification
string" events, the script simply denies that IP right away on the
firewall for one hour. So far this works well (for about 6 months
already) and I no longer see unusual load spikes or ssh connectivity
outages like before.
>> I really miss the inetd features. A setting like "nowait/100/20/5"
>> (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]])
>> would effectively bounce the bad guys, but AFAIK (correct me if I'm
>> wrong), ssh is no longer supposed to work via inetd and still has no
>> such capabilities.
>
> You can still run sshd through inetd (or, at least, the -i option
> is still documented in the sshd man page). If does suggest that you
> may need to reduce the key size to make this practical (increasing
> LoginGraceTime here may help too ;-)
>
I knew that, but actually never tried it thinking it would be too slow.
Now I just ran a ssh-keygen and found that it takes only a few seconds
for a 1024-bit and several for 2048-bit key. So it's not that much bad
and running it with 512 or 1024-bit key through inetd seems feasible enough.
The default ssh key length in FreeBSD-6 however just got doubled from
1024 to 2048-bit. I believe there's a reason for that and don't like the
idea of going down.
Regards,
Atanas
More information about the freebsd-stable
mailing list