SSHD_config question
Adam Funk
a24061 at ducksburg.com
Thu Aug 14 20:29:26 UTC 2008
On 2008-08-14, Knapp wrote:
[MaxStartups option in sshd_config]
>> If you set it to 10:30:60, then there can always be 10 clients in that
>> state at a time, but the 11th one into that "pool" will face a 30%
>> chance of being dropped immediately; the 12th one will face a 33%
>> chance, and so on proportionally up to the 60th one, which faces an
>> almost 100% chance. If there are already 60 clients in that pool, all
>> subsequent attempts will fail until the pool shrinks.
>
> OK, that makes sense but the system should tune to your computer and flash a
> warning if things get crazy. I would bet that big systems have a very stable
> number of people in the signing on state per hour of the day. Smaller
> systems might not be so stable but still within a very tight range. An
> attach should jump outside this quickly.
The installation default is not to limit this at all.
> I just set mine to a simple two. Should work just fine. Any reason this
> might be wrong? Not like it is public and I am expecting huge numbers of
> users.
That sounds reasonable to me.
> I hope, pray, that my system has strong security at this point with ssh
> locked down hard and Firestarter locking out most other things. Have I
> missed anything?
Change "PermitRootLogin yes" to "PermitRootLogin no". It's also a
good idea to allow login by SSH keys only; generate a keypair using
ssh-keygen (there are some good HOWTOs on the web) and test the key
from a remote machine, then (after testing!) change
"PasswordAuthentication yes" to "PasswordAuthentication no". This
makes dictionary-based cracking impossible.
If you're running it on port 22 (the default), you will get a lot of
noise in your logs from bots trying to log in using root and common
account names. You can stop that by running it on a high-numbered
port. (This is security by obscurity and you should not *rely* on it,
but it definitely reduces log noise.)
More information about the ubuntu-users
mailing list