Open jusherma opened 1 year ago
@qiluo-msft please help consider the suggestion (2 and 3) as 1 is some thing we can not do as we need inband connection in some deployment that has no mgmt interface
I would like to argue that "Implement fail2ban to reject SSH connections from malicious/abusive clients" may be not necessary. We could reject SSH connection by AAA server.
@liuh-80 to check possibility of "Reduce the LoginGraceTime".
Currently sonic are using the default value for 'LoginGraceTime', which is 120 second. Reduce the default value will have risk to break some existing pipelines.
Description
SONiC's SSH daemon is configured to listen on all interfaces, including those meant to pass routed traffic. It also allows 10 concurrent unauthenticated sessions before it begins rejecting some subsequent connections (30%). At 100 concurrent unauthenticated sessions, sshd rejects all subsequent connections.
MaxStartups 10:30:100
If an attacker makes malicious connections to the SSH server, it can consume all available SSH sessions (even without needing to authenticate), locking legitimate users out of using SSH.
Steps to reproduce the issue:
Run these commands in parallel, where
172.31.0.2
is the IP assigned to Ethernet0 of the SONiC router and172.31.0.6
is an unassigned IP addressDescribe the results you received:
Describe the results you expected:
Attackers should not be able to flood the SSH server with unauthenticated sessions via routed interfaces.
Suggested Mitigation Steps