oss-sec mailing list archives
Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Sun, 1 Jan 2012 20:34:45 -0500
:On Sun, Jan 01, 2012 at 04:53:09PM +0100, Nico Golde wrote: :> given the hash DoS I remembered a small program I wrote some time last year to :> demonstrate why the default configuration of openssh sucks (MaxStartups and :> LoginGraceTime). FWIW, we've had to adjust the default MaxStartups for our ssh-heavy cluster management software for many years now. It doesn't even take a casual abuser to deny service to all. :I think not only the default configuration, but also the approach behind :MaxStartups sucks (either a fixed limit or RED). In fact, I told this :to OpenSSH folks before, and I proposed an alternative, but clearly I :should have done more (contributed code) in order for anything to change. : :To be fair, there are also things that I do like about MaxStartups: the :idea to limit only not-yet-authenticated sessions (or to limit them :separately from authenticated sessions) and the close-a-pipe-fd trick. : :> ... how to properly handle this issue with openssh? : :In the same way that I did in popa3d, I think: per-source limits. Maybe :also per-source-netblock (e.g., separately for /8, /16, /24 - although :this is IPv4-specific and these don't reflect actual netblock allocations). Any thoughts on what an appropriate default config for per-source limits should be? How many connections from a given source would end up being too many for the default OpenSSH configuration? -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "I need a vacation." -The Terminator
Attachment:
_bin
Description:
Current thread:
- speaking of DoS, openssh and dropbear (CVE-2006-1206) Nico Golde (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Mike O'Connor (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Eitan Adler (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 02)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Nico Golde (Jan 02)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 02)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Nico Golde (Jan 03)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Mike O'Connor (Jan 01)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 03)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Kurt Seifried (Jan 03)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 11)
- Re: speaking of DoS, openssh and dropbear (CVE-2006-1206) Solar Designer (Jan 01)