SSHD_config question

[Adam Funk]

On 2008-08-14, Knapp wrote:

> Subject: SSHD_config question
> MaxStartups
>
> Specifies the maximum number of concurrent unauthenticated connections to
> the SSH daemon. Additional connections will be dropped until authentication
> succeeds or the LoginGraceTime expires for a connection. The default is 10.
>
> Alternatively, random early drop can be enabled by specifying the three
> colon separated values "start:rate:full" (e.g. "10:30:60"). sshd(8) will
> refuse connection attempts with a probability of "rate/100" (30%) if there
> are currently "start" (10) unauthenticated connections. The probability
> increases linearly and all connection attempts are refused if the number of
> unauthenticated connections reaches "full" (60).
>
> What the heck does this mean???? it is from the Man command.
> The first one I think I understand. No more than X people can be doing
> sign-in at the same time, right? But the second??? Why do we need it? What
> does it do?

"Concurrent unauthenticated connections" are the clients that have
connected to the port but not finished logging in yet.  (I think you
got that bit.)

If you set it to 10:30:60, then there can always be 10 clients in that
state at a time, but the 11th one into that "pool" will face a 30%
chance of being dropped immediately; the 12th one will face a 33%
chance, and so on proportionally up to the 60th one, which faces an
almost 100% chance.  If there are already 60 clients in that pool, all
subsequent attempts will fail until the pool shrinks.

I suspect the main purpose of this is to slow down brute-force userid-
and password-cracking attempts, which might try to make as many
concurrent connections as possible in order to work their way through
the dictionary quickly.  Maybe someone else can confirm this?