HPE Community
Operating System - OpenVMS
1753317 Members
6738 Online
108792 Solutions
New Discussion юеВ

Re: ssh attack, allows partial DOS

 
Kelly Cox
Frequent Advisor

тАО02-06-2006 02:24 AM

тАО02-06-2006 02:24 AM

ssh attack, allows partial DOS

VMS 8.2, alpha, tcp 5.5 eco1
This is mostly a warning. The default ssh connection limit of 10,000 easily allows ssh robots to overrun maxprocesscnt. When this has happened on my system it has forced a shutdown of the batch queue and I don't know what else. This causes a partial denial-of-service. I think during install of ssh, it should put a realistic limit based on current maxprocesscnt or have some quicker means of intrusion blocking of ip ranges.
0 Kudos
9 REPLIES 9
Wim Van den Wyngaert
Honored Contributor

тАО02-06-2006 02:32 AM

тАО02-06-2006 02:32 AM

Re: ssh attack, allows partial DOS

This while the default for rsh is 3 ...

Thx for the warning. Changed it on my system.

Wim
Wim
0 Kudos
Ian Miller.
Honored Contributor

тАО02-06-2006 02:36 AM

тАО02-06-2006 02:36 AM

Re: ssh attack, allows partial DOS

Same could be said for telnet which causes a process creation.
____________________
Purely Personal Opinion
0 Kudos
Heinz W Genhart
Honored Contributor

тАО02-06-2006 03:08 AM

тАО02-06-2006 03:08 AM

Re: ssh attack, allows partial DOS

Hi
I had same problem too.

During night I observe sometimes 200 - 500 attepts to login to my system via ssh. The problem is then, that my system does not have enough process slots. If a batch job is starting at exactly the time, where I do not have a free balanceset slot, the batchjob can't start.

I solved the problem by adding some code to the ssh's login.com. If there are more than 5 connects from the same source address within 1 minute, I just kill them with stop/id. Further I introduced private and public keys. This way I can be sure, that i will not have uninvited guests.....

Regards

Heinz
0 Kudos
Volker Halle
Honored Contributor

тАО02-06-2006 03:35 AM

тАО02-06-2006 03:35 AM

Re: ssh attack, allows partial DOS

re: Ian,


Same could be said for telnet which causes a process creation


But the service limit for TELNET seems to be more 'reasonable'.

Make sure you reduce the SSH service limit way beyond your MAXPROCESSCNT system parameter.

Batch queues will stop, if process creation fails with %JBC-F-NOSLOT due to exceeding MAXPROCESSCNT.

Volker.
0 Kudos
Wim Van den Wyngaert
Honored Contributor

тАО02-06-2006 03:42 AM

тАО02-06-2006 03:42 AM

Re: ssh attack, allows partial DOS

While on the subject of SSH.

1) Try copying a file of 15 MB between 2 SSH nodes.

rcp : 25 sec, 2% cpu
scp : 100 sec, +- 20% cpu

2) Prio of the encrypting process : 8

3) Prio of the remote process when doing SSH as rsh : 2 (interactive : 4).

Over here they are considering copying db's between nodes with it. Will need some extra cpu's ... good business for HP (and the others).

Wim
Wim
0 Kudos
Rick Dyson
Valued Contributor

тАО02-07-2006 01:10 AM

тАО02-07-2006 01:10 AM

Re: ssh attack, allows partial DOS

Sorry for the dumb question, but where would I quickly check to see if my SSH server config has a large connection limit? What value, where? Is this specific to v5.5 or would it be true for v5.4, too?

Thanks!

0 Kudos
Wim Van den Wyngaert
Honored Contributor

тАО02-07-2006 01:13 AM

тАО02-07-2006 01:13 AM

Re: ssh attack, allows partial DOS

$ ucx sho servi ssh/fu
field limit is max
$ ucx set servi ssh/lim=10
to modify it but
$ ucx disa servi ssh
$ ucx ena servi ssh
to activate it

Wim
Wim
0 Kudos
Robert_Boyd
Respected Contributor

тАО02-07-2006 02:21 AM

тАО02-07-2006 02:21 AM

Re: ssh attack, allows partial DOS

Kelly,

Thanks for the heads up on this issue.

I agree with you about putting a realistic limit on the number of sessions. Certainly a base value of 10% or even 20% of maxprocesscnt would be the maximum that this number should be set to by default. I can imagine that someone might have a server where ALL of the remote activity is conducted through SSH -- on such a system you might want the limit to be 50% or higher, but give the system manager the responsibility to raise it.

Robert
Master you were right about 1 thing -- the negotiations were SHORT!
0 Kudos
Kelly Cox
Frequent Advisor

тАО04-20-2006 06:49 AM

тАО04-20-2006 06:49 AM

Re: ssh attack, allows partial DOS

No real solution, just closing.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.