Re: speaking of DoS, openssh and dropbear (CVE-2006-1206)

["Mike O'Connor" <mjo () dojo mi org>]

:On Sun, Jan 01, 2012 at 04:53:09PM +0100, Nico Golde wrote:
:> given the hash DoS I remembered a small program I wrote some time last year to 
:> demonstrate why the default configuration of openssh sucks (MaxStartups and 
:> LoginGraceTime).

FWIW, we've had to adjust the default MaxStartups for our ssh-heavy
cluster management software for many years now.  It doesn't even take
a casual abuser to deny service to all.

:I think not only the default configuration, but also the approach behind
:MaxStartups sucks (either a fixed limit or RED).  In fact, I told this
:to OpenSSH folks before, and I proposed an alternative, but clearly I
:should have done more (contributed code) in order for anything to change.
:
:To be fair, there are also things that I do like about MaxStartups: the
:idea to limit only not-yet-authenticated sessions (or to limit them
:separately from authenticated sessions) and the close-a-pipe-fd trick.
:
:> ... how to properly handle this issue with openssh?
:
:In the same way that I did in popa3d, I think: per-source limits.  Maybe
:also per-source-netblock (e.g., separately for /8, /16, /24 - although
:this is IPv4-specific and these don't reflect actual netblock allocations).

Any thoughts on what an appropriate default config for per-source
limits should be?  How many connections from a given source would
end up being too many for the default OpenSSH configuration?

-- 
 Michael J. O'Connor                                          mjo () dojo mi org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I need a vacation."                                          -The Terminator

Attachment: _bin
Description: