[3814] in bugtraq
Re: Possible Denial of Service: SSH
daemon@ATHENA.MIT.EDU (Jim Dennis)
Wed Dec 18 18:13:44 1996
Date: Wed, 18 Dec 1996 13:41:00 -0800
Reply-To: Jim Dennis <jimd@starshine.org>
From: Jim Dennis <jimd@starshine.org>
X-To: tsoome@ut.ee
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.GSO.3.95.961218112419.10566A-100000@madli.ut.ee> from
"Toomas Soome" at Dec 18, 96 11:30:42 am
> On Tue, 17 Dec 1996, Sean B. Hamor wrote:
>
>> I believe I may have found a possible denial of service attack for use
>> against SSH. The attack requires an account on the target machine. I found
>> this using the following setup:
>>
...
>>
> there is mutch simpler way to block sshd - just force sshd to ask password
> in login time, now create connection and let ssh to wait for password....
> no one can login with ssh (with or without password) during this wait
> time.... tested with 1.2.17
>
> toomas soome
Try configuring it to run via inetd with a nowait flag in
the /etc/inetd.conf.
This will make the initial connection (the latency) much
longer but should prevent that problem.
Naturally this decision hinges upon your use. For a
multi-user shell machine, use inetd.conf. For your personal
workstation or one of your servers; where you only need
or a few people to access it -- and you have packet filters
to prevent DOSA from outside; use a statically loaded sshd.
You can also configure sshd to refuse connections from
unknown hosts. You could also keep one statically loaded
sshd on one port -- and keep an inetd launched one on another
port (so you only access the inetd one manually when it appears
that you are being victimized).
Jim Dennis,
Starshine Technical Services
