Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Jan 2012 20:34:45 -0500
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)

:On Sun, Jan 01, 2012 at 04:53:09PM +0100, Nico Golde wrote:
:> given the hash DoS I remembered a small program I wrote some time last year to 
:> demonstrate why the default configuration of openssh sucks (MaxStartups and 
:> LoginGraceTime).

FWIW, we've had to adjust the default MaxStartups for our ssh-heavy
cluster management software for many years now.  It doesn't even take
a casual abuser to deny service to all.

:I think not only the default configuration, but also the approach behind
:MaxStartups sucks (either a fixed limit or RED).  In fact, I told this
:to OpenSSH folks before, and I proposed an alternative, but clearly I
:should have done more (contributed code) in order for anything to change.
:
:To be fair, there are also things that I do like about MaxStartups: the
:idea to limit only not-yet-authenticated sessions (or to limit them
:separately from authenticated sessions) and the close-a-pipe-fd trick.
:
:> ... how to properly handle this issue with openssh?
:
:In the same way that I did in popa3d, I think: per-source limits.  Maybe
:also per-source-netblock (e.g., separately for /8, /16, /24 - although
:this is IPv4-specific and these don't reflect actual netblock allocations).

Any thoughts on what an appropriate default config for per-source
limits should be?  How many connections from a given source would
end up being too many for the default OpenSSH configuration?

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I need a vacation."                                          -The Terminator

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ