Bugtraq mailing list archives

Re: remote DoS against inetd and ssh

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Wed, 8 Sep 1999 10:49:12 -0400


hi,

yeah, i noted this to the ssh development team in march, 1999. this was
under version 1.2.26, and then 1.2.27 came out and there was no fix for
it. i didn't BUGTRAQ it as i find such info without a real fix to be
irresponsible. my coding sucks and i haven't been able to get my
MaxClients parameter to work in sshd. this would then be analogous to that
found in the apache web server. my incomplete code diffs are available to
anyone who wants to make it work, i get errors when it forks the child
process to handle the socket.

an alternative i use on my servers is to install xinetd and load sshd into
xinetd. instances control in xinetd take care of that issue. similar inetd
replacements which have instances control would also work. be sure to use
the "-i" flag since it's no longer standalone. a working xinetd config for
it would look like:

service ssh
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/local/sbin/sshd
        server_args     = -i
        instances       = 10
}

<rant>
this is pretty irresponsible of ssh's development team to leave such an
obvious point of trouble in their code long before i even mentioned it to
them. the apache team noted in their configuration comments why they have
a MaxClients type of parameter, to prevent resource exhaustion of a
standalone daemon. sshd is reccomended to be run as standalone, and
installs by default as standalone, their lack of observation of this
parameter is stunning.

i just didn't want to be party to this irresponsibility and post a DoS
that could affect a $#@%load of machines without some real code fix. an
%$@#load of admins use sshd on their machines for secure WAN connectivity
and are vulnerable to this annoying DoS.
</rant>

sincerely,

jose nazario                                    jose () biochemistry cwru edu
PGP 2.6.2 key fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

remote DoS against inetd and ssh Grzegorz Stelmaszek (Sep 02)
- Re: remote DoS against inetd and ssh Jedi/Sector One (Sep 08)
- Re: remote DoS against inetd and ssh Derek Callaway (Sep 08)
- Re: remote DoS against inetd and ssh Vincent Janelle (Sep 08)
- <Possible follow-ups>
- Re: remote DoS against inetd and ssh Alexander Boutkhoudze (Sep 07)
- Re: remote DoS against inetd and ssh Jose Nazario (Sep 08)
  - Re: remote DoS against inetd and ssh Stas Kisel (Sep 22)