-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
please specify recommended connection trottling settings against #263
Comments
This was already on my private to-do list, which will be handled within the next few days. I'm still doing final tests on my end, but it seems so far there are two possibilities for handling CVE-2002-20001. The first is to use
Pros include a complete and flexible solution that won't interfere with any ssh-audit tests or legitimate use cases. Cons include... just a slightly more complex config? (Is that even a real con?) |
I think that venturing into iptables falls outside the scope of OpenSSH configuration hardening. What I was asking about (which the hardening guide should address) is how to achieve the recommended "server must respond with a rate less than 20.0 conns/sec to be considered safe." |
The only two methods I know to reduce the rate of incoming connections in order to avoid the DoS condition is to use I plan on updating the guides to list both methods, along with the pros & cons of each. The end users can then decide for themselves which they'd like to implement. |
The key question was how to achieve "less than 20.0 conns/sec" and with which setting. |
I've revised the connection rate warning just now to:
It points the user to the hardening guides, though as of right now, they don't include the updated instructions yet. I'll be adding that in the next few days. |
The guides have been updated for Ubuntu Server 22.04 and Amazon Linux 2023. The rest will roll out over the next few days. |
One aspect mentioned in #262 was connection trottling as a mitigation against CVE-2002-20001. However, the hardening guide that accompanies ssh-audit doesn't specify what the settings should be. As a result, playing with the settings keeps on producing the following line:
(nfo) Potentially insufficient connection throttling detected, resulting in possible vulnerability to the DHEat DoS attack (CVE-2002-20001). Suppress this test and message with the --skip-rate-test option. Additional info: 38 connections were created in 0.224 seconds, or 169.8 conns/sec; server must respond with a rate less than 20.0 conns/sec to be considered safe.
It would therefore be desirable for the hardening guide to specify the recommended values for MaxStartups, PerSourceMaxStartups, PerSourceNetBlockSize and any other setting meant to mitigate this.
The text was updated successfully, but these errors were encountered: