SSHD_config question

Smoot Carl-Mitchell smoot at tic.com
Thu Aug 14 14:15:35 UTC 2008


> 
>         I suspect the main purpose of this is to slow down brute-force
>         userid-
>         and password-cracking attempts, which might try to make as
>         many
>         concurrent connections as possible in order to work their way
>         through
>         the dictionary quickly.  Maybe someone else can confirm this?
> 
> I would love to hear more about this too.

I think it is mainly to slow down denial of service attacks on SSH.
Remember the link is encrypted and encryption is relatively expensive.
Enough SSH sessions at a time can slow a system down by burning up cpu
cycles which may slow down a legitimate attempt to get SSH access or
slow other services to a crawl because of high cpu utilization.

You can do similar rate limiting with iptables on Linux systems.
Something like:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP

This has the advantage of selectively blocking specific source IP
addresses when the connection attempts exceed a specific threshold.
iptables syntax is hard to read (see the man page for the details), but
the above two lines will block connections to your SSH daemon from a
specific source IP addresses when new connections (e.g. TCP SYN packets)
are received from a specific IP address at a rate greater than 10 new
connections every 300 seconds.
-- 
Smoot Carl-Mitchell
System/Network Architect
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005




More information about the ubuntu-users mailing list