SSHD_config question

Thu Aug 14 12:10:21 UTC 2008

On Thu, Aug 14, 2008 at 1:42 PM, Adam Funk <a24061 at ducksburg.com> wrote:

> On 2008-08-14, Knapp wrote:
>
> > Subject: SSHD_config question
> > MaxStartups
> >
> > Specifies the maximum number of concurrent unauthenticated connections to
> > the SSH daemon. Additional connections will be dropped until
> authentication
> > succeeds or the LoginGraceTime expires for a connection. The default is
> 10.
> >
> > Alternatively, random early drop can be enabled by specifying the three
> > colon separated values "start:rate:full" (e.g. "10:30:60"). sshd(8) will
> > refuse connection attempts with a probability of "rate/100" (30%) if
> there
> > are currently "start" (10) unauthenticated connections. The probability
> > increases linearly and all connection attempts are refused if the number
> of
> > unauthenticated connections reaches "full" (60).
> >
> > What the heck does this mean???? it is from the Man command.
> > The first one I think I understand. No more than X people can be doing
> > sign-in at the same time, right? But the second??? Why do we need it?
> What
> > does it do?
>
> "Concurrent unauthenticated connections" are the clients that have
> connected to the port but not finished logging in yet.  (I think you
> got that bit.)
>
> If you set it to 10:30:60, then there can always be 10 clients in that
> state at a time, but the 11th one into that "pool" will face a 30%
> chance of being dropped immediately; the 12th one will face a 33%
> chance, and so on proportionally up to the 60th one, which faces an
> almost 100% chance.  If there are already 60 clients in that pool, all
> subsequent attempts will fail until the pool shrinks.
>

OK, that makes sense but the system should tune to your computer and flash a
warning if things get crazy. I would bet that big systems have a very stable
number of people in the signing on state per hour of the day. Smaller
systems might not be so stable but still within a very tight range. An
attach should jump outside this quickly.

I just set mine to a simple two. Should work just fine. Any reason this
might be wrong? Not like it is public and I am expecting huge numbers of
users.
I hope, pray, that my system has strong security at this point with ssh
locked down hard and Firestarter locking out most other things. Have I
missed anything?

> I suspect the main purpose of this is to slow down brute-force userid-
> and password-cracking attempts, which might try to make as many
> concurrent connections as possible in order to work their way through
> the dictionary quickly.  Maybe someone else can confirm this?
>

I would love to hear more about this too.

-- 
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20080814/b92ec2aa/attachment.html>