mailing list archives
Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Sun, 1 Jan 2012 20:34:45 -0500
:On Sun, Jan 01, 2012 at 04:53:09PM +0100, Nico Golde wrote:
:> given the hash DoS I remembered a small program I wrote some time last year to
:> demonstrate why the default configuration of openssh sucks (MaxStartups and
FWIW, we've had to adjust the default MaxStartups for our ssh-heavy
cluster management software for many years now. It doesn't even take
a casual abuser to deny service to all.
:I think not only the default configuration, but also the approach behind
:MaxStartups sucks (either a fixed limit or RED). In fact, I told this
:to OpenSSH folks before, and I proposed an alternative, but clearly I
:should have done more (contributed code) in order for anything to change.
:To be fair, there are also things that I do like about MaxStartups: the
:idea to limit only not-yet-authenticated sessions (or to limit them
:separately from authenticated sessions) and the close-a-pipe-fd trick.
:> ... how to properly handle this issue with openssh?
:In the same way that I did in popa3d, I think: per-source limits. Maybe
:also per-source-netblock (e.g., separately for /8, /16, /24 - although
:this is IPv4-specific and these don't reflect actual netblock allocations).
Any thoughts on what an appropriate default config for per-source
limits should be? How many connections from a given source would
end up being too many for the default OpenSSH configuration?
Michael J. O'Connor mjo () dojo mi org
"I need a vacation." -The Terminator