Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

ssh attack, allows partial DOS

 
Kelly Cox
Frequent Advisor

ssh attack, allows partial DOS

VMS 8.2, alpha, tcp 5.5 eco1
This is mostly a warning. The default ssh connection limit of 10,000 easily allows ssh robots to overrun maxprocesscnt. When this has happened on my system it has forced a shutdown of the batch queue and I don't know what else. This causes a partial denial-of-service. I think during install of ssh, it should put a realistic limit based on current maxprocesscnt or have some quicker means of intrusion blocking of ip ranges.
9 REPLIES
Wim Van den Wyngaert
Honored Contributor

Re: ssh attack, allows partial DOS

This while the default for rsh is 3 ...

Thx for the warning. Changed it on my system.

Wim
Wim
Ian Miller.
Honored Contributor

Re: ssh attack, allows partial DOS

Same could be said for telnet which causes a process creation.
____________________
Purely Personal Opinion
Heinz W Genhart
Honored Contributor

Re: ssh attack, allows partial DOS

Hi
I had same problem too.

During night I observe sometimes 200 - 500 attepts to login to my system via ssh. The problem is then, that my system does not have enough process slots. If a batch job is starting at exactly the time, where I do not have a free balanceset slot, the batchjob can't start.

I solved the problem by adding some code to the ssh's login.com. If there are more than 5 connects from the same source address within 1 minute, I just kill them with stop/id. Further I introduced private and public keys. This way I can be sure, that i will not have uninvited guests.....

Regards

Heinz
Volker Halle
Honored Contributor

Re: ssh attack, allows partial DOS

re: Ian,


Same could be said for telnet which causes a process creation


But the service limit for TELNET seems to be more 'reasonable'.

Make sure you reduce the SSH service limit way beyond your MAXPROCESSCNT system parameter.

Batch queues will stop, if process creation fails with %JBC-F-NOSLOT due to exceeding MAXPROCESSCNT.

Volker.
Wim Van den Wyngaert
Honored Contributor

Re: ssh attack, allows partial DOS

While on the subject of SSH.

1) Try copying a file of 15 MB between 2 SSH nodes.

rcp : 25 sec, 2% cpu
scp : 100 sec, +- 20% cpu

2) Prio of the encrypting process : 8

3) Prio of the remote process when doing SSH as rsh : 2 (interactive : 4).

Over here they are considering copying db's between nodes with it. Will need some extra cpu's ... good business for HP (and the others).

Wim
Wim
Rick Dyson
Valued Contributor

Re: ssh attack, allows partial DOS

Sorry for the dumb question, but where would I quickly check to see if my SSH server config has a large connection limit? What value, where? Is this specific to v5.5 or would it be true for v5.4, too?

Thanks!

Wim Van den Wyngaert
Honored Contributor

Re: ssh attack, allows partial DOS

$ ucx sho servi ssh/fu
field limit is max
$ ucx set servi ssh/lim=10
to modify it but
$ ucx disa servi ssh
$ ucx ena servi ssh
to activate it

Wim
Wim
Robert_Boyd
Respected Contributor

Re: ssh attack, allows partial DOS

Kelly,

Thanks for the heads up on this issue.

I agree with you about putting a realistic limit on the number of sessions. Certainly a base value of 10% or even 20% of maxprocesscnt would be the maximum that this number should be set to by default. I can imagine that someone might have a server where ALL of the remote activity is conducted through SSH -- on such a system you might want the limit to be 50% or higher, but give the system manager the responsibility to raise it.

Robert
Master you were right about 1 thing -- the negotiations were SHORT!
Kelly Cox
Frequent Advisor

Re: ssh attack, allows partial DOS

No real solution, just closing.