LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices



Reply
 
Search this Thread
Old 06-17-2013, 07:46 AM   #1
Anup D.
LQ Newbie
 
Registered: Jan 2012
Location: Nanded
Distribution: RHEL
Posts: 25

Rep: Reputation: Disabled
How to restrict max ssh connections ?


Hello friends,

I am having Centos 6.4.

I want to allow concurrent remote login only from 3 users if 4th user try he should get access denied.

I tried following in /etc/security/limits.conf
root hard maxlogins 2

Thanks in advacne
 
Old 06-17-2013, 09:07 AM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 12,152

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
Try setting maxsessions in sshd_confg. Be sure to restart ssh.

http://linux.die.net/man/5/sshd_config
 
Old 06-17-2013, 10:18 AM   #3
Anup D.
LQ Newbie
 
Registered: Jan 2012
Location: Nanded
Distribution: RHEL
Posts: 25

Original Poster
Rep: Reputation: Disabled
Thank you michaelk.

I have tried this but it is not working.

I have set MaxSessions 3 in /etc/ssh/sshd_config file.

But still more than 3 users are able to login over ssh to server.

[root@test ~]# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 15549 root 3r IPv4 1633906 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:45750 (ESTABLISHED)
sshd 17497 root 3u IPv4 1654288 0t0 TCP *:ssh (LISTEN)
sshd 17497 root 4u IPv6 1654290 0t0 TCP *:ssh (LISTEN)
sshd 17499 root 3r IPv4 1654293 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55348 (ESTABLISHED)
sshd 17527 root 3r IPv4 1654440 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55357 (ESTABLISHED)
sshd 17555 root 3r IPv4 1654584 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55407 (ESTABLISHED)
sshd 17583 root 3r IPv4 1654728 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55409 (ESTABLISHED)

Please advice.

Thanks
 
Old 06-19-2013, 04:45 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,329

Rep: Reputation: 593Reputation: 593Reputation: 593Reputation: 593Reputation: 593Reputation: 593
MaxSessions is for limiting the number of active forwarded ports over a given network connection (the default is 10).

There doesn't appear to be a limit for the number of logins permitted.
 
Old 06-19-2013, 07:20 AM   #5
michaelk
Moderator
 
Registered: Aug 2002
Posts: 12,152

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
I agree, I have not found anything yet.
 
Old 06-20-2013, 09:52 AM   #6
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,078

Rep: Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713Reputation: 2713
Quote:
Originally Posted by michaelk View Post
Try setting maxsessions in sshd_confg. Be sure to restart ssh.
http://linux.die.net/man/5/sshd_config
The MaxSessions directive (in my opinion), is a good thing to use for security purposes, and I rarely set it above 1. The reason? If userx has a workstation at 10.11.12.13, they can then open ONE SSH window. If someone else spoofs the address, they get rejected. The downside is, if userx has to have multiple windows open...your mileage may vary.

The MaxStartups directive should be looked at too. From the SSHD_CONFIG man page:
Quote:
Originally Posted by SSHD Man Page
MaxStartups
Specifies the maximum number of concurrent unauthenticated con-
nections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.

Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
So, if you have 100 users, you can (theoretically), set this to be 100. That does not take into account any SFTP/SCP connections (which also use SSH), nor if someone has two or more open terminal windows. Alternatively, you can also use iptables to limit connections to a particular port:
Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --hitcount 10 -j DROP
Modify as needed, changing port/interface. This will only allow 10 connections to the SSH port on 22.
 
Old 06-20-2013, 10:00 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,329

Rep: Reputation: 593Reputation: 593Reputation: 593Reputation: 593Reputation: 593Reputation: 593
The MaxStartups directive doesn't control how many sshd connections exist.

It is only for preventing a DOS where some idiot makes 1000 connections... without logging in.

And I don't believe iptables can control it (not certain - haven't tested that).

There is only ONE connection to port 22 active at any time - once the daemon forks and does the accept - you get a different port associated with the socket. This leaves port 22 open for another connection...

Port 22 is only used to listen for connection requests. Once one comes in a different socket (and port) are used.

Last edited by jpollard; 06-20-2013 at 10:04 AM.
 
Old 07-08-2013, 10:15 AM   #8
dubnik
Member
 
Registered: Dec 2006
Location: Slovakia
Distribution: Red Hat
Posts: 47

Rep: Reputation: 1
re

Hi

you can do this per user in '/etc/security/limits.conf'
at the bottom of the config you have examples.


dubnik
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Max concurrent ssh connections limit vbarakam@yahoo.com Linux - Newbie 1 07-13-2009 01:19 AM
ssh max connections parm DotHQ Linux - Software 1 08-31-2006 09:13 PM
how to restrict max folder size on nfs shares?? j4jaybi Red Hat 1 07-28-2006 01:32 PM
sshd restrict connections introuble Linux - Security 1 07-01-2005 08:57 AM


All times are GMT -5. The time now is 11:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration