LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   How to restrict max ssh connections ? (https://www.linuxquestions.org/questions/linux-enterprise-47/how-to-restrict-max-ssh-connections-4175466328/)

Anup D. 06-17-2013 06:46 AM
How to restrict max ssh connections ?
 
Hello friends,

I am having Centos 6.4.

I want to allow concurrent remote login only from 3 users if 4th user try he should get access denied.

I tried following in /etc/security/limits.conf
root hard maxlogins 2

Thanks in advacne

michaelk 06-17-2013 08:07 AM
Try setting maxsessions in sshd_confg. Be sure to restart ssh.

http://linux.die.net/man/5/sshd_config

Anup D. 06-17-2013 09:18 AM
Thank you michaelk.

I have tried this but it is not working.

I have set MaxSessions 3 in /etc/ssh/sshd_config file.

But still more than 3 users are able to login over ssh to server.

[root@test ~]# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 15549 root 3r IPv4 1633906 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:45750 (ESTABLISHED)
sshd 17497 root 3u IPv4 1654288 0t0 TCP *:ssh (LISTEN)
sshd 17497 root 4u IPv6 1654290 0t0 TCP *:ssh (LISTEN)
sshd 17499 root 3r IPv4 1654293 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55348 (ESTABLISHED)
sshd 17527 root 3r IPv4 1654440 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55357 (ESTABLISHED)
sshd 17555 root 3r IPv4 1654584 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55407 (ESTABLISHED)
sshd 17583 root 3r IPv4 1654728 0t0 TCP s1.example.com:ssh->xxx.xxx.xxx.xxx:55409 (ESTABLISHED)

Please advice.

Thanks

jpollard 06-19-2013 03:45 AM
MaxSessions is for limiting the number of active forwarded ports over a given network connection (the default is 10).

There doesn't appear to be a limit for the number of logins permitted.

michaelk 06-19-2013 06:20 AM
I agree, I have not found anything yet.

TB0ne 06-20-2013 08:52 AM
Quote:
Originally Posted by michaelk (Post 4973428)
Try setting maxsessions in sshd_confg. Be sure to restart ssh.
http://linux.die.net/man/5/sshd_config
The MaxSessions directive (in my opinion), is a good thing to use for security purposes, and I rarely set it above 1. The reason? If userx has a workstation at 10.11.12.13, they can then open ONE SSH window. If someone else spoofs the address, they get rejected. The downside is, if userx has to have multiple windows open...your mileage may vary.

The MaxStartups directive should be looked at too. From the SSHD_CONFIG man page:
Quote:
Originally Posted by SSHD Man Page
MaxStartups
Specifies the maximum number of concurrent unauthenticated con-
nections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10:30:100.

Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
So, if you have 100 users, you can (theoretically), set this to be 100. That does not take into account any SFTP/SCP connections (which also use SSH), nor if someone has two or more open terminal windows. Alternatively, you can also use iptables to limit connections to a particular port:
Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --hitcount 10 -j DROP
Modify as needed, changing port/interface. This will only allow 10 connections to the SSH port on 22.

jpollard 06-20-2013 09:00 AM
The MaxStartups directive doesn't control how many sshd connections exist.

It is only for preventing a DOS where some idiot makes 1000 connections... without logging in.

And I don't believe iptables can control it (not certain - haven't tested that).

There is only ONE connection to port 22 active at any time - once the daemon forks and does the accept - you get a different port associated with the socket. This leaves port 22 open for another connection...

Port 22 is only used to listen for connection requests. Once one comes in a different socket (and port) are used.

dubnik 07-08-2013 09:15 AM
re
 
Hi

you can do this per user in '/etc/security/limits.conf'
at the bottom of the config you have examples.


dubnik


All times are GMT -5. The time now is 07:43 AM.