SSH服务的几个超时参数 以及 类似DDOS攻击的方法

背景

sshd是Linux的一个常用的网络连接的服务，通常被用来远程连接，管理服务器。

一般我们很少去配置sshd，本文要给大家分享几个sshd的参数，有超时参数，有触发拒绝连接的参数等等。

如果你哪天遇到类似的问题，也行能帮助你找到问题的根源。

sshd 空闲超时参数

man sshd_config

• 连续接收到几次sshd发送给客户端的alive包之后，中断该SSH会话。

     ClientAliveCountMax
             Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client.  
             If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.  
         It is important to note that the use of client alive messages is very different from TCPKeepAlive (below).  
         The client alive messages are sent through the encrypted channel and therefore will not be spoofable.  
         The TCP keepalive option enabled by TCPKeepAlive is spoofable.  
         The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

             The default value is 3.  If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, 
         unresponsive SSH clients will be disconnected after approximately 45 seconds.

             This option applies to protocol version 2 only.

• 当客户端与SSHD服务端多久间隔没有任何用户数据收发时，发送Alive包。

     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has been received from the client, 
         sshd(8) will send a message through the encrypted channel to request a response from the client.  
         The default is 0, indicating that these messages will not be sent to the client.  
         This option applies to protocol version 2 only.

所以当设置了ClientAliveCountMax与ClientAliveCountMax，那么如果会话空闲时间超过ClientAliveCountMax * ClientAliveCountMax则退出。

• 如果用户在LoginGraceTime设置的时间内没有认证成功，则断开该连接会话。

     LoginGraceTime
             The server disconnects after this time if the user has not successfully logged in.  
         If the value is 0, there is no time limit.  
         The default is 120 seconds.

拒绝连接的参数

• 如果一个SSH会话认证失败的次数超过MaxAuthTries的一半，则记录额外的错误日志。

     MaxAuthTries
             Specifies the maximum number of authentication attempts permitted per connection.  
         Once the number of failures reaches half this value, additional failures are logged.  
         The default is 6.

• 每个网络连接允许的最大打开会话数

     MaxSessions
             Specifies the maximum number of open sessions permitted per network connection.  
         The default is 10.

• 指定当前最多有多少个未完成认证的并发连接，超过则可能拒绝连接。
  由三个值组成 “start:rate:full” (e.g. "10:30:60").

start表示未完成认证的连接数，当未完成认证的连接数超过start时，rate/100表示新发起的连接有多大的概率被拒绝连接。
如果未完成认证的连接数达到full，则新发起的连接全部拒绝。

     MaxStartups
             Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.  
         Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection.  
         The default is 10:30:100.

             Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g. "10:30:60").  
         sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections.  
         The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).

外界可以利用这个对SSHD服务进行类似的ddos攻击，例如用户并发的发起连接，并且不输入密码，等待LoginGraceTime超时。

当未完成认证的连接大于MaxStartups(full)，这样的话，用户正常的连接请求就会被drop掉，非常的危险。

如何减轻呢？
似乎不好搞，但是如果不是DDOS工具，则可以尝试一下以下方法
LoginGraceTime 调低，例如10秒（用户自己要确保10秒能输入密码，否则设置了太复杂的密码就歇菜了）
MaxStartups的几个值都调大，例如300:30:1000

其他配置

sshd命令行与配置文件支持的时间格式

TIME FORMATS
     sshd(8) command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: time[qualifier], 
     where time is a positive integer value and qualifier is one of
     the following:

           ?none?  seconds
           s | S   seconds
           m | M   minutes
           h | H   hours
           d | D   days
           w | W   weeks

     Each member of the sequence is added together to calculate the total time value.

     Time format examples:

           600     600 seconds (10 minutes)
           10m     10 minutes
           1h30m   1 hour 30 minutes (90 minutes)

man sshd

     -g login_grace_time
             Gives the grace time for clients to authenticate themselves (default 120 seconds).  
         If the client fails to authenticate the user within this many seconds, the server disconnects and exits.  
         A value of zero indicates no limit.

摘录

认证时限, 未认证连接, 认证次数介绍
我们可以通过MaxStartups选项对未认证连接的个数进行调整.
下面的连接就是一个未认证连接:

telnet 192.168.27.142 22
Trying 192.168.27.142...
Connected to 192.168.27.142.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.3

同样一个ssh的登录,在没有成功验证前,也是一个未认证连接,如下:

ssh  root@192.168.27.142                            
root@192.168.27.142's password:

MaxStartups 10表示可以有10个ssh的半连接状态, 就像上面一样.
这个选项一定要配合LoginGraceTime选项一起使用.
LoginGraceTime表示认证的时限,我们可以调整认证的时间限制,例如:

LoginGraceTime 20  

即在20秒之内不能完成认证,则断开,如下:

ssh  root@192.168.27.142
root@192.168.27.142's password: 
Connection closed by 192.168.27.142

注意在这里如果密码输入错误,则重新计时,如果我们输错了密码,计时将重新开始,
幸运的是我们有MaxAuthTries,来解决认证次数的问题.

MaxAuthTries 1

这里表示只允许输错一回密码.
我们要注意的是除了SSH自身的选项控制认证次数外,它还通过pam进行验证,所以如果我们设置 MaxAuthTries 10,则允许输错密码的次数可能还是3,如果MaxAuthTries 2,则以MaxAuthTries为准.
如果是MaxAuthTries 2,我们输错密码的提示如下:

ssh  root@192.168.27.142
root@192.168.27.142's password: 
Permission denied, please try again.
root@192.168.27.142's password: 
Received disconnect from 192.168.27.142: 2: Too many authentication failures for root

祝大家玩得开心，欢迎随时来 阿里云促膝长谈 业务需求 ，恭候光临。

阿里云的小伙伴们加油，努力做 最贴地气的云数据库 。