From owner-freebsd-stable@FreeBSD.ORG Sat Mar 11 02:12:53 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C11CC16B152 for ; Sat, 11 Mar 2006 02:12:52 +0000 (GMT) (envelope-from protologic@mindspring.com) Received: from pop05.mail.atl.earthlink.net (pop05.mail.atl.earthlink.net [207.69.200.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6136A489D4 for ; Fri, 10 Mar 2006 18:36:38 +0000 (GMT) (envelope-from protologic@mindspring.com) Received: from mswamui-thinleaf.atl.sa.earthlink.net ([209.86.224.51]) by pop05.mail.atl.earthlink.net with esmtp (Exim 3.36 #10) id 1FHmTJ-0001OZ-00; Fri, 10 Mar 2006 13:36:17 -0500 Message-ID: <2838070.1142015777207.JavaMail.root@mswamui-thinleaf.atl.sa.earthlink.net> Date: Fri, 10 Mar 2006 13:36:16 -0500 (GMT-05:00) From: Michael Proto To: Dmitry Pryanishnikov , Michael Proto Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: EarthLink Zoo Mail 1.0 Cc: freebsd-stable@freebsd.org Subject: Re: RELENG_4 on flash disk and swap X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Michael Proto List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 02:12:53 -0000 >On Fri, 10 Mar 2006, Michael Proto wrote: >> My suggestion would then be to utilize resource limits in >> /etc/login.conf for the sshd user (in your example) or other user >> accounts for applications that you don't want running out of control. >> See login.conf(5) and login_cap(3) for more details on this. In >> particular, the datasize, stacksize, memoryuse, and vmemoryuse options >> may be of benefit. > > OK, I'm aware about this measure. But have your tried it yourself against, >e.g., OpenSSH? I doubt it. Look at the following: > >dmitry@test$ ps axu |grep ssh >root 20213 0.0 1.3 54724 3356 ?? Is 4:00PM 0:00.10 sshd: dmitry > [priv] >dmitry 20216 0.0 1.3 54724 3356 ?? I 4:00PM 0:00.03 sshd: > dmitry@tty >root 20229 0.0 1.3 54724 3356 ?? Ss 4:00PM 0:00.10 sshd: dmitry > [priv] >dmitry 20232 0.0 1.3 54724 3356 ?? S 4:00PM 0:00.03 sshd: > dmitry@tty > >It's the result of 2 incoming OpenSSH sessions: 2 processes per session, >one of them root's and another user's. SSH.COM's sshd always works as a root. >Also, during the DoS attack (simultaneous setup of many incoming TCP >connections to 22th port) there will be many root's processes like this: > >root 20278 0.0 1.1 52016 2884 ?? Is 4:07PM 0:00.04 sshd: > [accepted] > >Do you really advise to lower root's limits? I'm sure you don't ;) > > >Sincerely, Dmitry >-- >Atlantis ISP, System Administrator >e-mail: dmitry@atlantis.dp.ua >nic-hdl: LYNX-RIPE You're correct, I could have sworn that sshd ran as the sshd user with the (somewhat) new privsep settings but it appears that I'm mistaken. My only other (albeit limited) suggestion would be to do something like inbound connection limiting that is available in pf to prevent the DOS-like scenarios you are mentioning. -Proto