FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 08-14-2008, 09:39 AM
Knapp
 
Default SSHD_config question

Subject:*SSHD_config question
MaxStartups

Specifies
the maximum number of concurrent unauthenticated connections to the SSH
daemon. Additional connections will be dropped until authentication
succeeds or the LoginGraceTime expires for a connection. The default is
10.


Alternatively, random early drop can be enabled by specifying the
three colon separated values "start:rate:full" (e.g. "10:30:60").
sshd(8) will refuse connection attempts with a probability of
"rate/100" (30%) if there are currently "start" (10) unauthenticated
connections. The probability increases linearly and all connection
attempts are refused if the number of unauthenticated connections
reaches "full" (60).

What the heck does this mean???? it is from the Man command.
The first one I think I understand. No more than X people can be doing sign-in at the same time, right? But the second??? Why do we need it? What does it do?


Thanks
--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 11:42 AM
Adam Funk
 
Default SSHD_config question

On 2008-08-14, Knapp wrote:

> Subject: SSHD_config question
> MaxStartups
>
> Specifies the maximum number of concurrent unauthenticated connections to
> the SSH daemon. Additional connections will be dropped until authentication
> succeeds or the LoginGraceTime expires for a connection. The default is 10.
>
> Alternatively, random early drop can be enabled by specifying the three
> colon separated values "start:rate:full" (e.g. "10:30:60"). sshd(8) will
> refuse connection attempts with a probability of "rate/100" (30%) if there
> are currently "start" (10) unauthenticated connections. The probability
> increases linearly and all connection attempts are refused if the number of
> unauthenticated connections reaches "full" (60).
>
> What the heck does this mean???? it is from the Man command.
> The first one I think I understand. No more than X people can be doing
> sign-in at the same time, right? But the second??? Why do we need it? What
> does it do?

"Concurrent unauthenticated connections" are the clients that have
connected to the port but not finished logging in yet. (I think you
got that bit.)

If you set it to 10:30:60, then there can always be 10 clients in that
state at a time, but the 11th one into that "pool" will face a 30%
chance of being dropped immediately; the 12th one will face a 33%
chance, and so on proportionally up to the 60th one, which faces an
almost 100% chance. If there are already 60 clients in that pool, all
subsequent attempts will fail until the pool shrinks.

I suspect the main purpose of this is to slow down brute-force userid-
and password-cracking attempts, which might try to make as many
concurrent connections as possible in order to work their way through
the dictionary quickly. Maybe someone else can confirm this?


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 12:10 PM
Knapp
 
Default SSHD_config question

On Thu, Aug 14, 2008 at 1:42 PM, Adam Funk <a24061@ducksburg.com> wrote:

On 2008-08-14, Knapp wrote:



> Subject: SSHD_config question

> MaxStartups

>

> Specifies the maximum number of concurrent unauthenticated connections to

> the SSH daemon. Additional connections will be dropped until authentication

> succeeds or the LoginGraceTime expires for a connection. The default is 10.

>

> Alternatively, random early drop can be enabled by specifying the three

> colon separated values "start:rate:full" (e.g. "10:30:60"). sshd(8) will

> refuse connection attempts with a probability of "rate/100" (30%) if there

> are currently "start" (10) unauthenticated connections. The probability

> increases linearly and all connection attempts are refused if the number of

> unauthenticated connections reaches "full" (60).

>

> What the heck does this mean???? it is from the Man command.

> The first one I think I understand. No more than X people can be doing

> sign-in at the same time, right? But the second??? Why do we need it? What

> does it do?



"Concurrent unauthenticated connections" are the clients that have

connected to the port but not finished logging in yet. *(I think you

got that bit.)



If you set it to 10:30:60, then there can always be 10 clients in that

state at a time, but the 11th one into that "pool" will face a 30%

chance of being dropped immediately; the 12th one will face a 33%

chance, and so on proportionally up to the 60th one, which faces an

almost 100% chance. *If there are already 60 clients in that pool, all

subsequent attempts will fail until the pool shrinks.


OK, that makes sense but the system should tune to your computer and flash a warning if things get crazy. I would bet that big systems have a very stable number of people in the signing on state per hour of the day. Smaller systems might not be so stable but still within a very tight range. An attach should jump outside this quickly.


I just set mine to a simple two. Should work just fine. Any reason this might be wrong? Not like it is public and I am expecting huge numbers of users.
I hope, pray, that my system has strong security at this point with ssh locked down hard and Firestarter locking out most other things. Have I missed anything?

*

I suspect the main purpose of this is to slow down brute-force userid-

and password-cracking attempts, which might try to make as many

concurrent connections as possible in order to work their way through

the dictionary quickly. *Maybe someone else can confirm this?


I would love to hear more about this too.
--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 01:57 PM
"Brian McKee"
 
Default SSHD_config question

On Thu, Aug 14, 2008 at 8:10 AM, Knapp <magick.crow@gmail.com> wrote:
> On Thu, Aug 14, 2008 at 1:42 PM, Adam Funk <a24061@ducksburg.com> wrote:
>> On 2008-08-14, Knapp wrote:
> I hope, pray, that my system has strong security at this point with ssh
> locked down hard and Firestarter locking out most other things. Have I
> missed anything?

If you use ssh, I'd use rsa keys and not use passwords at all.
Problem solved, as long as you keep the key handy and don't let it
loose.

That being said, if you use real passwords (i.e. longer than 8,
include at least more than one case, some numbers and punctuation -
definitely not something you can find in a newspaper) you are fine.

If you look at the attempts those ssh bots are trying the passwords
are laughably bad. If you have a laughably bad password then you have
issues :-)

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 02:02 PM
Rashkae
 
Default SSHD_config question

Brian McKee wrote:
> On Thu, Aug 14, 2008 at 8:10 AM, Knapp <magick.crow@gmail.com> wrote:
>> On Thu, Aug 14, 2008 at 1:42 PM, Adam Funk <a24061@ducksburg.com> wrote:
>>> On 2008-08-14, Knapp wrote:
>> I hope, pray, that my system has strong security at this point with ssh
>> locked down hard and Firestarter locking out most other things. Have I
>> missed anything?
>
> If you use ssh, I'd use rsa keys and not use passwords at all.
> Problem solved, as long as you keep the key handy and don't let it
> loose.
>
> That being said, if you use real passwords (i.e. longer than 8,
> include at least more than one case, some numbers and punctuation -
> definitely not something you can find in a newspaper) you are fine.
>
> If you look at the attempts those ssh bots are trying the passwords
> are laughably bad. If you have a laughably bad password then you have
> issues :-)
>
> Brian
>

And I suppose, you have never in a moment of weakness created a user
named Test with password test?

It's a good idea to lock out password based logins from the wild from
the wild. Prevents silly accidents.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 02:15 PM
Smoot Carl-Mitchell
 
Default SSHD_config question

>
> I suspect the main purpose of this is to slow down brute-force
> userid-
> and password-cracking attempts, which might try to make as
> many
> concurrent connections as possible in order to work their way
> through
> the dictionary quickly. Maybe someone else can confirm this?
>
> I would love to hear more about this too.

I think it is mainly to slow down denial of service attacks on SSH.
Remember the link is encrypted and encryption is relatively expensive.
Enough SSH sessions at a time can slow a system down by burning up cpu
cycles which may slow down a legitimate attempt to get SSH access or
slow other services to a crawl because of high cpu utilization.

You can do similar rate limiting with iptables on Linux systems.
Something like:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP

This has the advantage of selectively blocking specific source IP
addresses when the connection attempts exceed a specific threshold.
iptables syntax is hard to read (see the man page for the details), but
the above two lines will block connections to your SSH daemon from a
specific source IP addresses when new connections (e.g. TCP SYN packets)
are received from a specific IP address at a rate greater than 10 new
connections every 300 seconds.
--
Smoot Carl-Mitchell
System/Network Architect
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 02:15 PM
Karl Auer
 
Default SSHD_config question

On Thu, 2008-08-14 at 09:57 -0400, Brian McKee wrote:
> On Thu, Aug 14, 2008 at 8:10 AM, Knapp <magick.crow@gmail.com> wrote:
> > On Thu, Aug 14, 2008 at 1:42 PM, Adam Funk <a24061@ducksburg.com> wrote:
> >> On 2008-08-14, Knapp wrote:
> > I hope, pray, that my system has strong security at this point with ssh
> > locked down hard and Firestarter locking out most other things. Have I
> > missed anything?

As Brian said, turn off password access completely, that will stop most
of the script attacks. If you can, move your server to a port other than
22, 222, 2222 and 22222 - use something random, so it's at least not in
the firing line. Make sure (if you have multiple interfaces) that sshd
is listening only on the interface(s) you want it to use. If you don't
use IPv6, turn off IPv6 access too. If you do not expect legitimate use
outside certain hours, use cron to stop and start sshd so it is only
accepting connections during those hours. If you are very serious, you
could try adding port knocking.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)

GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
Public key at : random.sks.keyserver.penguin.de

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 02:33 PM
"Brian McKee"
 
Default SSHD_config question

On Thu, Aug 14, 2008 at 10:02 AM, Rashkae <ubuntu@tigershaunt.com> wrote:
> Brian McKee wrote:
>> That being said, if you use real passwords (i.e. longer than 8,
>> include at least more than one case, some numbers and punctuation -
>> definitely not something you can find in a newspaper) you are fine.
>>
>> If you look at the attempts those ssh bots are trying the passwords
>> are laughably bad. If you have a laughably bad password then you have
>> issues :-)
> And I suppose, you have never in a moment of weakness created a user
> named Test with password test?
> It's a good idea to lock out password based logins from the wild from
> the wild. Prevents silly accidents.

Actually, no, I have never created a test user with the password test.
Nor admin/admin or root/root.

I do have a password that I admit to reusing from time to time in
exactly those cases - but it's definitely not test :-)

I agree wholehardly that using keys and disabling password based
logins is a great idea. Silly accidents do happen.

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 08:12 PM
NoOp
 
Default SSHD_config question

On 08/14/2008 06:57 AM, Brian McKee wrote:
> On Thu, Aug 14, 2008 at 8:10 AM, Knapp <magick.crow@gmail.com> wrote:
>> On Thu, Aug 14, 2008 at 1:42 PM, Adam Funk <a24061@ducksburg.com> wrote:
>>> On 2008-08-14, Knapp wrote:
>> I hope, pray, that my system has strong security at this point with ssh
>> locked down hard and Firestarter locking out most other things. Have I
>> missed anything?
>
> If you use ssh, I'd use rsa keys and not use passwords at all.
> Problem solved, as long as you keep the key handy and don't let it
> loose.
>
> That being said, if you use real passwords (i.e. longer than 8,
> include at least more than one case, some numbers and punctuation -
> definitely not something you can find in a newspaper) you are fine.
>
> If you look at the attempts those ssh bots are trying the passwords
> are laughably bad. If you have a laughably bad password then you have
> issues :-)
>
> Brian
>

Agree there... (laughably bad password attempts).

@Knapp: I'd recommend that you install denyhosts.

https://help.ubuntu.com/community/InstallingSecurityTools
http://www.ubuntugeek.com/securing-ssh.html


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-14-2008, 08:29 PM
Adam Funk
 
Default SSHD_config question

On 2008-08-14, Knapp wrote:

[MaxStartups option in sshd_config]

>> If you set it to 10:30:60, then there can always be 10 clients in that
>> state at a time, but the 11th one into that "pool" will face a 30%
>> chance of being dropped immediately; the 12th one will face a 33%
>> chance, and so on proportionally up to the 60th one, which faces an
>> almost 100% chance. If there are already 60 clients in that pool, all
>> subsequent attempts will fail until the pool shrinks.
>
> OK, that makes sense but the system should tune to your computer and flash a
> warning if things get crazy. I would bet that big systems have a very stable
> number of people in the signing on state per hour of the day. Smaller
> systems might not be so stable but still within a very tight range. An
> attach should jump outside this quickly.

The installation default is not to limit this at all.

> I just set mine to a simple two. Should work just fine. Any reason this
> might be wrong? Not like it is public and I am expecting huge numbers of
> users.

That sounds reasonable to me.

> I hope, pray, that my system has strong security at this point with ssh
> locked down hard and Firestarter locking out most other things. Have I
> missed anything?

Change "PermitRootLogin yes" to "PermitRootLogin no". It's also a
good idea to allow login by SSH keys only; generate a keypair using
ssh-keygen (there are some good HOWTOs on the web) and test the key
from a remote machine, then (after testing!) change
"PasswordAuthentication yes" to "PasswordAuthentication no". This
makes dictionary-based cracking impossible.

If you're running it on port 22 (the default), you will get a lot of
noise in your logs from bots trying to log in using root and common
account names. You can stop that by running it on a high-numbered
port. (This is security by obscurity and you should not *rely* on it,
but it definitely reduces log noise.)


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 08:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org