Wednesday, July 30, 2008

How To Protect SSH From Multiple and Parallel Coordinated Attacks

Multiple SSH attacks coming from multiple hosts with multiple connection can bog down even a firewalled SSH server. Minimizing these kind of attacks can lessen SSH brute force attempts and decrease SSH hack attempts at the same time. Here's a quick entry on how to tweak SSH configuration to limit the maximum number of unauthenticated SSH connection at a certain period of time.

OpenSSH MaxStartups SSH Directive

By limiting the value of Maxstartups SSH directive, the maximum simultaneous number of unauthenticated connections that the SSH server will handle is also decreased. That is, ssh server will be explicitly restricted to a maximum number of simultaneous unauthenticated SSH connections only. Thus, when triggered, SSH daemon service would then ignore and deny other parallel and coordinated SSH brute force attacks with multiple connections and will be continuously dropping SSH connections until a single authentication succeeds or the LoginGraceTime expires from the recent connection.

MaxStartUps Usage

By default, MaxStartups is set to 10. The smaller the maxstartups value, the smaller the chance of receiving simultaneous and parallel attacks from a single host with multiple connections. Now, to implement this SSH security, backup and modify /etc/ssh/sshd_config SSH configuration file to reflect the sample below SSH directive

MaxStartups 2:50:5

The numbers represent start:rate:full legends.

From the above maxstartup value, SSH server will refuse connection attempts with a probability rate of 50% if there are currently 2 unauthenticated sessions. The probability rate increases linearly if SSH connection attempts reaches the full value of 5.

Basically, MaxStartups 2:50:5 allows 2 users to attempt SSH authentication at the same time and ignores any other SSH connections if current SSH connection attempts reaches the value of 5. SSH further ignorance to unauthenticated SSH connection can be override simply by being authenticated or expiring the current logingracetime value.

Remember that when defining SSH maxstartups value, it is also necessary to consider the total number of shell users a SSH server currently.

All is done.

0 comments:

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy