Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Jan 2012 20:34:45 -0500
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)

:On Sun, Jan 01, 2012 at 04:53:09PM +0100, Nico Golde wrote:
:> given the hash DoS I remembered a small program I wrote some time last year to 
:> demonstrate why the default configuration of openssh sucks (MaxStartups and 
:> LoginGraceTime).

FWIW, we've had to adjust the default MaxStartups for our ssh-heavy
cluster management software for many years now.  It doesn't even take
a casual abuser to deny service to all.

:I think not only the default configuration, but also the approach behind
:MaxStartups sucks (either a fixed limit or RED).  In fact, I told this
:to OpenSSH folks before, and I proposed an alternative, but clearly I
:should have done more (contributed code) in order for anything to change.
:
:To be fair, there are also things that I do like about MaxStartups: the
:idea to limit only not-yet-authenticated sessions (or to limit them
:separately from authenticated sessions) and the close-a-pipe-fd trick.
:
:> ... how to properly handle this issue with openssh?
:
:In the same way that I did in popa3d, I think: per-source limits.  Maybe
:also per-source-netblock (e.g., separately for /8, /16, /24 - although
:this is IPv4-specific and these don't reflect actual netblock allocations).

Any thoughts on what an appropriate default config for per-source
limits should be?  How many connections from a given source would
end up being too many for the default OpenSSH configuration?

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I need a vacation."                                          -The Terminator

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.