On Tue, 11 Dec 2001, Robert van der Meulen wrote: > Do you get this problem both when running sshd from inetd and standalone? the resource exhaustion attacks occur both standalone and from some 'super server', ie inetd. > Opening up a big number of connections to the server starves out the > number of available sockets, disallowing new connects. I can't think > of an easy way to solve this, without using an external measure (such > as a combination of --limit and --limit-burst iptables rules on > linux). alternatively you can use xinetd, which has a maximum connections directive, and also a "max from any one IP" directive. both of those help stave off resource exhaustion attacks by ssh. http://security-archive.merton.ox.ac.uk/bugtraq-199909/0207.html openssh committed a fix for this before we even noted it widely, and a friend even fix a sigchild problem (craig copi, see ChangeLog in OpenSSH-portable) way back in 1999. i dont think Ssh.com ever did a fix for SSH1 daemons, citing it was depracated .... ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 09:49:12 PST