Bugtraq mailing list archives
Re: remote DoS against inetd and ssh
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Wed, 8 Sep 1999 10:49:12 -0400
hi, yeah, i noted this to the ssh development team in march, 1999. this was under version 1.2.26, and then 1.2.27 came out and there was no fix for it. i didn't BUGTRAQ it as i find such info without a real fix to be irresponsible. my coding sucks and i haven't been able to get my MaxClients parameter to work in sshd. this would then be analogous to that found in the apache web server. my incomplete code diffs are available to anyone who wants to make it work, i get errors when it forks the child process to handle the socket. an alternative i use on my servers is to install xinetd and load sshd into xinetd. instances control in xinetd take care of that issue. similar inetd replacements which have instances control would also work. be sure to use the "-i" flag since it's no longer standalone. a working xinetd config for it would look like: service ssh { socket_type = stream protocol = tcp wait = no user = root server = /usr/local/sbin/sshd server_args = -i instances = 10 } <rant> this is pretty irresponsible of ssh's development team to leave such an obvious point of trouble in their code long before i even mentioned it to them. the apache team noted in their configuration comments why they have a MaxClients type of parameter, to prevent resource exhaustion of a standalone daemon. sshd is reccomended to be run as standalone, and installs by default as standalone, their lack of observation of this parameter is stunning. i just didn't want to be party to this irresponsibility and post a DoS that could affect a $#@%load of machines without some real code fix. an %$@#load of admins use sshd on their machines for secure WAN connectivity and are vulnerable to this annoying DoS. </rant> sincerely, jose nazario jose () biochemistry cwru edu PGP 2.6.2 key fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- remote DoS against inetd and ssh Grzegorz Stelmaszek (Sep 02)
- Re: remote DoS against inetd and ssh Jedi/Sector One (Sep 08)
- Re: remote DoS against inetd and ssh Derek Callaway (Sep 08)
- Re: remote DoS against inetd and ssh Vincent Janelle (Sep 08)
- <Possible follow-ups>
- Re: remote DoS against inetd and ssh Alexander Boutkhoudze (Sep 07)
- Re: remote DoS against inetd and ssh Jose Nazario (Sep 08)
- Re: remote DoS against inetd and ssh Stas Kisel (Sep 22)