How to restrict max ssh connections ?
Hello friends,
I am having Centos 6.4. I want to allow concurrent remote login only from 3 users if 4th user try he should get access denied. I tried following in /etc/security/limits.conf root hard maxlogins 2 Thanks in advacne |
Try setting maxsessions in sshd_confg. Be sure to restart ssh.
http://linux.die.net/man/5/sshd_config |
Thank you michaelk.
I have tried this but it is not working. I have set MaxSessions 3 in /etc/ssh/sshd_config file. But still more than 3 users are able to login over ssh to server. [root@test ~]# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 15549 root 3r IPv4 1633906 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:45750 (ESTABLISHED) sshd 17497 root 3u IPv4 1654288 0t0 TCP *:ssh (LISTEN) sshd 17497 root 4u IPv6 1654290 0t0 TCP *:ssh (LISTEN) sshd 17499 root 3r IPv4 1654293 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55348 (ESTABLISHED) sshd 17527 root 3r IPv4 1654440 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55357 (ESTABLISHED) sshd 17555 root 3r IPv4 1654584 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55407 (ESTABLISHED) sshd 17583 root 3r IPv4 1654728 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55409 (ESTABLISHED) Please advice. Thanks |
MaxSessions is for limiting the number of active forwarded ports over a given network connection (the default is 10).
There doesn't appear to be a limit for the number of logins permitted. |
I agree, I have not found anything yet.
|
Quote:
The MaxStartups directive should be looked at too. From the SSHD_CONFIG man page: Quote:
Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set |
The MaxStartups directive doesn't control how many sshd connections exist.
It is only for preventing a DOS where some idiot makes 1000 connections... without logging in. And I don't believe iptables can control it (not certain - haven't tested that). There is only ONE connection to port 22 active at any time - once the daemon forks and does the accept - you get a different port associated with the socket. This leaves port 22 open for another connection... Port 22 is only used to listen for connection requests. Once one comes in a different socket (and port) are used. |
re
Hi
you can do this per user in '/etc/security/limits.conf' at the bottom of the config you have examples. dubnik |
All times are GMT -5. The time now is 10:30 PM. |