connection rate limitation for sshd - is it possible ?

This is off-topic (not amd64-related),
and you hijacked another thread, but anyway ...

xdavidsvinew.natur.cuni.cz wrote:
 > please, is there a way to limit the number of
connections to openssh 
 > daemon per time period per source ip address ? I am
using this on linux 
 > boxes with iptables, but couldn't figure out how to
do this with IPF on 
 > FreeBSD. If it is not possible, is there another way
how to do this ? Or 
 > do you think it is (un)wise to run sshd under inetd
with "-C" switch or 
 > "max-connections-per-ip-per-minute"
parameter ?

It is unwise, because sshd has to generate the server key
each time it is started -- if started from inetd, that
would be each time a client connection is accepted.

Please read the description of the "-i" option
in the sshd
manpage.  It explains it pretty well.

Maybe using "MaxStartups" in your sshd_config
would be a
better solution (refer to the manpage for details).

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29,
85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd

Any opinions expressed in this message may be personal to
the author
and may not necessarily reflect the opinions of secnetix in
any way.

"If you think C++ is not overly complicated, just what
is a protected
abstract virtual base pure virtual private destructor, and
when was the
last time you needed one?"
        -- Tom Cargil, C++ Journal
_______________________________________________
freebsd-amd64freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
To unsubscribe, send any mail to
"freebsd-amd64-unsubscribefreebsd.org"

> This is off-topic (not amd64-related),
> and you hijacked another thread, but anyway ...

The original question was how to set sthg with IPF on my
AMD64 box, so I 
thought it is amd64-related, sorry for my missunderstanding
of the purpose 
of this list.

> > please, is there a way to limit the number of
connections to openssh
> > daemon per time period per source ip address ? I
am using this on linux
> > boxes with iptables, but couldn't figure out how
to do this with IPF on
> > FreeBSD. If it is not possible, is there another
way how to do this ? Or
> > do you think it is (un)wise to run sshd under
inetd with "-C" switch or
> > "max-connections-per-ip-per-minute"
parameter ?
>
> It is unwise, because sshd has to generate the server
key
> each time it is started -- if started from inetd, that
> would be each time a client connection is accepted.

Thank you for giving me good reasons not to do it.

> Maybe using "MaxStartups" in your
sshd_config would be a
> better solution (refer to the manpage for details).

The problem is it does not track source IPs so there is a
DOS risk. I got 
another advice how to set up PF, so I'll play with, but as
the short term 
solution I probably use inetd while there are only a few
people using sshd 
on that machine now and more users will be added later.

Best Regards,

   David
_______________________________________________
freebsd-amd64freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
To unsubscribe, send any mail to
"freebsd-amd64-unsubscribefreebsd.org"

xdavidsvinew.natur.cuni.cz wrote:
 > The original question was how to set sthg with IPF on
my AMD64 box, so I 
 > thought it is amd64-related, sorry for my
missunderstanding of the purpose 
 > of this list.

It is my understanding that this list is for amd64-specific
things.  IPF and ssh are not amd64-specific.

 > > It is unwise, because sshd has to generate the
server key
 > > each time it is started -- if started from inetd,
that
 > > would be each time a client connection is
accepted.
 > 
 > Thank you for giving me good reasons not to do it.

Hm.  I might have been mistaken (I'm sorry for that).  If I
recall correctly, the server key is only required for SSH
protocol version 1.  Version 2 doesn't generate a server
key at all, but uses Diffie-Hellman for a shared session
key.

Therefore, if you limit your sshd to protocol 2 _only_, then
doesn't have to generate a server key each time it starts,
and running it via inetd might be feasible.  I have not
actually tried that, so I might be wrong.

 > > Maybe using "MaxStartups" in your
sshd_config would be a
 > > better solution (refer to the manpage for
details).
 > 
 > The problem is it does not track source IPs so there
is a DOS risk.

Unfortunately, it's not that easy.  It depends what kind
of DoS attack you would like to prevent.  Someone who has
sufficient bandwidth can always flood your link, no matter
whether your packet filter drops the stuff or not.  So you
cannot prevent that kind of DoS attack at all.

However, the packet filter will prevent those packets from
reaching the daemon program (sshd, in this case).  Whether
that has any significant effect depends on the software.
In the case of sshd, creating the session key is probably
not neglegible.  And that has to happen before the client
authenticates, i.e. no matter whether it can successfully
log in or not.

But:  If you try to solve the problem on packet filter level
(i.e. with IPFW, IPF or PF) by limiting the
"setup" packets
per source IP, it is very easy to run a DoS attack against
you by simply sending a sufficient number of such SYN,!ACK
packets with your own (spoofed) source IP.  Then you're
locked out.  In fact, that kind of DoS is _very_ easy to
perform.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29,
85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd

Any opinions expressed in this message may be personal to
the author
and may not necessarily reflect the opinions of secnetix in
any way.

"One of the main causes of the fall of the Roman
Empire was that,
lacking zero, they had no way to indicate successful
termination
of their C programs."
        -- Robert Firth
_______________________________________________
freebsd-amd64freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
To unsubscribe, send any mail to
"freebsd-amd64-unsubscribefreebsd.org"