Date: Sun, 1 Jan 2012 20:34:45 -0500 From: "Mike O'Connor" <mjo@...o.mi.org> To: oss-security@...ts.openwall.com Subject: Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) :On Sun, Jan 01, 2012 at 04:53:09PM +0100, Nico Golde wrote: :> given the hash DoS I remembered a small program I wrote some time last year to :> demonstrate why the default configuration of openssh sucks (MaxStartups and :> LoginGraceTime). FWIW, we've had to adjust the default MaxStartups for our ssh-heavy cluster management software for many years now. It doesn't even take a casual abuser to deny service to all. :I think not only the default configuration, but also the approach behind :MaxStartups sucks (either a fixed limit or RED). In fact, I told this :to OpenSSH folks before, and I proposed an alternative, but clearly I :should have done more (contributed code) in order for anything to change. : :To be fair, there are also things that I do like about MaxStartups: the :idea to limit only not-yet-authenticated sessions (or to limit them :separately from authenticated sessions) and the close-a-pipe-fd trick. : :> ... how to properly handle this issue with openssh? : :In the same way that I did in popa3d, I think: per-source limits. Maybe :also per-source-netblock (e.g., separately for /8, /16, /24 - although :this is IPv4-specific and these don't reflect actual netblock allocations). Any thoughts on what an appropriate default config for per-source limits should be? How many connections from a given source would end up being too many for the default OpenSSH configuration? -- Michael J. O'Connor mjo@...o.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "I need a vacation." -The Terminator [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ