Package Details: openssh-socket-activation 1.0-1

Git Clone URL: https://aur.archlinux.org/openssh-socket-activation.git (read-only, click to copy)
Package Base: openssh-socket-activation
Description: systemd socket activation for openssh server
Upstream URL: https://www.openssh.com/portable.html
Keywords: sftp ssh systemd
Licenses: GPL
Submitter: lsevcik
Maintainer: lsevcik
Last Packager: lsevcik
Votes: 3
Popularity: 0.002467
First Submitted: 2021-06-17 20:19 (UTC)
Last Updated: 2021-06-17 20:19 (UTC)

Pinned Comments

lsevcik commented on 2021-06-17 20:38 (UTC) (edited on 2021-06-18 00:19 (UTC) by lsevcik)

Warning

Use of systemd socket activation may result in a Denial of Service attack! See FS#62248 It is advised to not use socket activation on an internet facing connection for this reason. Below are a few ways to (potentially) subvert this issue:

Security through obscurity:

Using systemd unit overriding, change the port that systemd listens on:

# systemctl edit sshd.socket

The contents of the file you edit should look something like:

[Socket]
ListenStream=
ListenStream=2222
Fail2ban:

It is possible to use fail2ban to ban a single IP from causing a denial of service to the server by having it fail after a few connection attempts. Note that this will not stop a Distributed Denial of Service from taking place.

Firewall:

If you know the addresses of the machines that will be connecting to this server, using software such as ufw, firewalld, or iptables to whitelist those IPs can avoid a potential (Distributed) Denial of Service.

Latest Comments

lsevcik commented on 2021-06-17 20:38 (UTC) (edited on 2021-06-18 00:19 (UTC) by lsevcik)

Warning

Use of systemd socket activation may result in a Denial of Service attack! See FS#62248 It is advised to not use socket activation on an internet facing connection for this reason. Below are a few ways to (potentially) subvert this issue:

Security through obscurity:

Using systemd unit overriding, change the port that systemd listens on:

# systemctl edit sshd.socket

The contents of the file you edit should look something like:

[Socket]
ListenStream=
ListenStream=2222
Fail2ban:

It is possible to use fail2ban to ban a single IP from causing a denial of service to the server by having it fail after a few connection attempts. Note that this will not stop a Distributed Denial of Service from taking place.

Firewall:

If you know the addresses of the machines that will be connecting to this server, using software such as ufw, firewalld, or iptables to whitelist those IPs can avoid a potential (Distributed) Denial of Service.