connection rate limitation for sshd - is it possible ?
Oliver Fromme
olli at lurza.secnetix.de
Fri Apr 7 14:26:39 UTC 2006
xdavid at svinew.natur.cuni.cz wrote:
> The original question was how to set sthg with IPF on my AMD64 box, so I
> thought it is amd64-related, sorry for my missunderstanding of the purpose
> of this list.
It is my understanding that this list is for amd64-specific
things. IPF and ssh are not amd64-specific.
> > It is unwise, because sshd has to generate the server key
> > each time it is started -- if started from inetd, that
> > would be each time a client connection is accepted.
>
> Thank you for giving me good reasons not to do it.
Hm. I might have been mistaken (I'm sorry for that). If I
recall correctly, the server key is only required for SSH
protocol version 1. Version 2 doesn't generate a server
key at all, but uses Diffie-Hellman for a shared session key.
Therefore, if you limit your sshd to protocol 2 _only_, then
doesn't have to generate a server key each time it starts,
and running it via inetd might be feasible. I have not
actually tried that, so I might be wrong.
> > Maybe using "MaxStartups" in your sshd_config would be a
> > better solution (refer to the manpage for details).
>
> The problem is it does not track source IPs so there is a DOS risk.
Unfortunately, it's not that easy. It depends what kind
of DoS attack you would like to prevent. Someone who has
sufficient bandwidth can always flood your link, no matter
whether your packet filter drops the stuff or not. So you
cannot prevent that kind of DoS attack at all.
However, the packet filter will prevent those packets from
reaching the daemon program (sshd, in this case). Whether
that has any significant effect depends on the software.
In the case of sshd, creating the session key is probably
not neglegible. And that has to happen before the client
authenticates, i.e. no matter whether it can successfully
log in or not.
But: If you try to solve the problem on packet filter level
(i.e. with IPFW, IPF or PF) by limiting the "setup" packets
per source IP, it is very easy to run a DoS attack against
you by simply sending a sufficient number of such SYN,!ACK
packets with your own (spoofed) source IP. Then you're
locked out. In fact, that kind of DoS is _very_ easy to
perform.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination
of their C programs."
-- Robert Firth
More information about the freebsd-amd64
mailing list