SSHD_config question
Smoot Carl-Mitchell
smoot at tic.com
Thu Aug 14 14:15:35 UTC 2008
>
> I suspect the main purpose of this is to slow down brute-force
> userid-
> and password-cracking attempts, which might try to make as
> many
> concurrent connections as possible in order to work their way
> through
> the dictionary quickly. Maybe someone else can confirm this?
>
> I would love to hear more about this too.
I think it is mainly to slow down denial of service attacks on SSH.
Remember the link is encrypted and encryption is relatively expensive.
Enough SSH sessions at a time can slow a system down by burning up cpu
cycles which may slow down a legitimate attempt to get SSH access or
slow other services to a crawl because of high cpu utilization.
You can do similar rate limiting with iptables on Linux systems.
Something like:
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
This has the advantage of selectively blocking specific source IP
addresses when the connection attempts exceed a specific threshold.
iptables syntax is hard to read (see the man page for the details), but
the above two lines will block connections to your SSH daemon from a
specific source IP addresses when new connections (e.g. TCP SYN packets)
are received from a specific IP address at a rate greater than 10 new
connections every 300 seconds.
--
Smoot Carl-Mitchell
System/Network Architect
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005
More information about the ubuntu-users
mailing list