Date: Fri, 7 Apr 2006 16:26:28 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-amd64@FreeBSD.ORG Subject: Re: connection rate limitation for sshd - is it possible ? Message-ID: <200604071426.k37EQSKF056988@lurza.secnetix.de> In-Reply-To: <Pine.LNX.4.64.0604071147320.18549@svinew.natur.cuni.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
xdavid@svinew.natur.cuni.cz wrote: > The original question was how to set sthg with IPF on my AMD64 box, so I > thought it is amd64-related, sorry for my missunderstanding of the purpose > of this list. It is my understanding that this list is for amd64-specific things. IPF and ssh are not amd64-specific. > > It is unwise, because sshd has to generate the server key > > each time it is started -- if started from inetd, that > > would be each time a client connection is accepted. > > Thank you for giving me good reasons not to do it. Hm. I might have been mistaken (I'm sorry for that). If I recall correctly, the server key is only required for SSH protocol version 1. Version 2 doesn't generate a server key at all, but uses Diffie-Hellman for a shared session key. Therefore, if you limit your sshd to protocol 2 _only_, then doesn't have to generate a server key each time it starts, and running it via inetd might be feasible. I have not actually tried that, so I might be wrong. > > Maybe using "MaxStartups" in your sshd_config would be a > > better solution (refer to the manpage for details). > > The problem is it does not track source IPs so there is a DOS risk. Unfortunately, it's not that easy. It depends what kind of DoS attack you would like to prevent. Someone who has sufficient bandwidth can always flood your link, no matter whether your packet filter drops the stuff or not. So you cannot prevent that kind of DoS attack at all. However, the packet filter will prevent those packets from reaching the daemon program (sshd, in this case). Whether that has any significant effect depends on the software. In the case of sshd, creating the session key is probably not neglegible. And that has to happen before the client authenticates, i.e. no matter whether it can successfully log in or not. But: If you try to solve the problem on packet filter level (i.e. with IPFW, IPF or PF) by limiting the "setup" packets per source IP, it is very easy to run a DoS attack against you by simply sending a sufficient number of such SYN,!ACK packets with your own (spoofed) source IP. Then you're locked out. In fact, that kind of DoS is _very_ easy to perform. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "One of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604071426.k37EQSKF056988>