SSHD_config question

[Adam Funk]

On 2008-08-14, Knapp wrote:

[MaxStartups option in sshd_config]

>> If you set it to 10:30:60, then there can always be 10 clients in that
>> state at a time, but the 11th one into that "pool" will face a 30%
>> chance of being dropped immediately; the 12th one will face a 33%
>> chance, and so on proportionally up to the 60th one, which faces an
>> almost 100% chance.  If there are already 60 clients in that pool, all
>> subsequent attempts will fail until the pool shrinks.
>
> OK, that makes sense but the system should tune to your computer and flash a
> warning if things get crazy. I would bet that big systems have a very stable
> number of people in the signing on state per hour of the day. Smaller
> systems might not be so stable but still within a very tight range. An
> attach should jump outside this quickly.

The installation default is not to limit this at all.

> I just set mine to a simple two. Should work just fine. Any reason this
> might be wrong? Not like it is public and I am expecting huge numbers of
> users.

That sounds reasonable to me.

> I hope, pray, that my system has strong security at this point with ssh
> locked down hard and Firestarter locking out most other things. Have I
> missed anything?

Change "PermitRootLogin yes" to "PermitRootLogin no".  It's also a
good idea to allow login by SSH keys only; generate a keypair using
ssh-keygen (there are some good HOWTOs on the web) and test the key
from a remote machine, then (after testing!) change
"PasswordAuthentication yes" to "PasswordAuthentication no".  This
makes dictionary-based cracking impossible.

If you're running it on port 22 (the default), you will get a lot of
noise in your logs from bots trying to log in using root and common
account names.  You can stop that by running it on a high-numbered
port.  (This is security by obscurity and you should not *rely* on it,
but it definitely reduces log noise.)