topic Re: ssh attack, allows partial DOS in Operating System - OpenVMS

ssh attack, allows partial DOS

Kelly Cox — Mon, 06 Feb 2006 10:24:42 GMT

VMS 8.2, alpha, tcp 5.5 eco1
This is mostly a warning. The default ssh connection limit of 10,000 easily allows ssh robots to overrun maxprocesscnt. When this has happened on my system it has forced a shutdown of the batch queue and I don't know what else. This causes a partial denial-of-service. I think during install of ssh, it should put a realistic limit based on current maxprocesscnt or have some quicker means of intrusion blocking of ip ranges.

Re: ssh attack, allows partial DOS

Wim Van den Wyngaert — Mon, 06 Feb 2006 10:32:29 GMT

This while the default for rsh is 3 ...

Thx for the warning. Changed it on my system.

Wim

Re: ssh attack, allows partial DOS

Ian Miller. — Mon, 06 Feb 2006 10:36:23 GMT

Same could be said for telnet which causes a process creation.

Re: ssh attack, allows partial DOS

Heinz W Genhart — Mon, 06 Feb 2006 11:08:27 GMT

Hi
I had same problem too.

During night I observe sometimes 200 - 500 attepts to login to my system via ssh. The problem is then, that my system does not have enough process slots. If a batch job is starting at exactly the time, where I do not have a free balanceset slot, the batchjob can't start.

I solved the problem by adding some code to the ssh's login.com. If there are more than 5 connects from the same source address within 1 minute, I just kill them with stop/id. Further I introduced private and public keys. This way I can be sure, that i will not have uninvited guests.....

Regards

Heinz

Re: ssh attack, allows partial DOS

Volker Halle — Mon, 06 Feb 2006 11:35:16 GMT

re: Ian,

Same could be said for telnet which causes a process creation

But the service limit for TELNET seems to be more 'reasonable'.

Make sure you reduce the SSH service limit way beyond your MAXPROCESSCNT system parameter.

Batch queues will stop, if process creation fails with %JBC-F-NOSLOT due to exceeding MAXPROCESSCNT.

Volker.

Re: ssh attack, allows partial DOS

Wim Van den Wyngaert — Mon, 06 Feb 2006 11:42:39 GMT

While on the subject of SSH.

1) Try copying a file of 15 MB between 2 SSH nodes.

rcp : 25 sec, 2% cpu
scp : 100 sec, +- 20% cpu

2) Prio of the encrypting process : 8

3) Prio of the remote process when doing SSH as rsh : 2 (interactive : 4).

Over here they are considering copying db's between nodes with it. Will need some extra cpu's ... good business for HP (and the others).

Wim

Re: ssh attack, allows partial DOS

Rick Dyson — Tue, 07 Feb 2006 09:10:23 GMT

Sorry for the dumb question, but where would I quickly check to see if my SSH server config has a large connection limit? What value, where? Is this specific to v5.5 or would it be true for v5.4, too?

Thanks!

Re: ssh attack, allows partial DOS

Wim Van den Wyngaert — Tue, 07 Feb 2006 09:13:21 GMT

$ ucx sho servi ssh/fu
field limit is max
$ ucx set servi ssh/lim=10
to modify it but
$ ucx disa servi ssh
$ ucx ena servi ssh
to activate it

Wim

Re: ssh attack, allows partial DOS

Robert_Boyd — Tue, 07 Feb 2006 10:21:37 GMT

Kelly,

Thanks for the heads up on this issue.

I agree with you about putting a realistic limit on the number of sessions. Certainly a base value of 10% or even 20% of maxprocesscnt would be the maximum that this number should be set to by default. I can imagine that someone might have a server where ALL of the remote activity is conducted through SSH -- on such a system you might want the limit to be 50% or higher, but give the system manager the responsibility to raise it.

Robert

Re: ssh attack, allows partial DOS

Kelly Cox — Thu, 20 Apr 2006 13:49:06 GMT

No real solution, just closing.