If affected still, you may want to add the-oServerAliveInterval=10
option to ssh (for Linux or Mac,putty has keepalive settings but not for command line); or leave
For incoming connections, ssh or putty talks to the firewall, and onlythe firewall knows which internal machine the connection is sent to:currently enna.
When using Cygwin (its ssh and its X server), or maybe from MacOSX,you need the (unsafe) -Y option instead of -X: I guess needed wheneverxdpyinfo does not show the SECURITY extension.
Dire warnings (words of Jim Richardson):
Note that skeys are only for use of the person to whom the sheet wasallocated, and no forwardings or tunnels other than the above shouldbe used without prior arrangement with the School Computing Manager.
Note for Maths (129.78.68.*, e.g. Magma) users:
You do not need 2FA from such "trusted" hosts.
When that happens, try again in a little while. Long story below.Rate limits
On occasions, while trying to log in, you may receive errors like Connection closed by remote host server unexpectedly closed network connection Connection refused
or our Web-OTP service may show "Too Many Requests".
That is our protection against password guessing attacks, in action:we have rate limiting on ssh connections. When that happens, try againin a little while; or maybe wait until the next wall-clock hour, thentry; maybe use "ssh-v..." (or "putty-v...")to see the "error" message; try soon after the restriction is lifted,before the "bad guys" use up all permitted tries.
For some background, see:
https://isc.sans.edu/diary/Guess+what+SSH+again/6214
https://isc.sans.edu/diary/Dealing+With+Unwanted+SSH+Bruteforcing/7855/
and example log lines from 2011:
Aug 25 22:17:33 bari sskd: Failed for invalid user aaa Aug 25 22:17:48 bari sskd: Failed for invalid user aaron Aug 25 22:17:51 bari sskd: Failed for invalid user abacus Aug 25 22:17:56 bari sskd: Failed for invalid user abbyOur ssh service is handled by:
- xinetd (on our front-end or firewall machine siv or talus).
In the file /etc/xinetd.conf we use the setting "cps=315":- Limit of three connections per second. When exceeded, xinetd will turn the port off for 15 seconds.
When the port is turned off, a connection attempt gets a "connection refused", which I observed is better at making attackers go away.
No longer have my cpm and cph patches in xinetd, but have rate limiting in the sshind script as below.
- Limit of three connections per second. When exceeded, xinetd will turn the port off for 15 seconds.
- xinetd runs our sshind script (the reverse-proxy process). In sshind we have two kinds of rate limits:
- Limits for each connecting machine. We keep a list of connection attempts, and each machine is allowed
- 1 attempt per second
- 3 attempts per minute, and
- 10 attempts per hour.
- Limit of all (remaining) connections during each wall-clock time period, allowing
- 2 connections per second
- 50 connections per minute, and
- 500 connections per hour.
This prevents many distributed attacks, going through lists of login names but each attempt from a wildly different source IP address.
- Limits for each connecting machine. We keep a list of connection attempts, and each machine is allowed
- sshind proxies the connection to sskd (on enna, our login server). sskd is an skey- or 2FA-aware version of sshd, and runs with default "MaxStartups10:30:100" setting:
- sshd will refuse connection attempts with a probability of 30% if there are currently 10 unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches 100.
- Our 2FA implementation in sskd has a "maxbadtries" lockout:
- after 5 failed attempts at 2FA authentication, no more tries are permitted for an hour (the lockout is cleared automatically after the hour).
Our Web-OTP service also has limits: 2 per minute for each connectingmachine, and a limit of 2 per second or 20 per minute for allconnections.
We are pretty safe against any breakins with 2FA; in fact I have nevernoticed them trying 2FA at all, they just try single passwords. Manytry root only as the login name (and root does not have 2FA).
We limit connections to protect against attackers wasting resources,hoping to make the attacker "go away" and try another victim. Ourprotections have stopped many ssh password guessing runs/attacks,significantly lowering the CPU load on our machines.
Any limits (in xinetd, sshind or sskd) will affect legitimate users also:hopefully our rates and back-off times are not too annoying.
- avoid errors like
Unrecognized OpenGL version Could not initialize GLX X server does not support XInput 2 GLX 1.3 or later is required
- speed up your access
- maybe leave your windows in place, for next login
Using xpra may speed things up on slow networks like access from "outside",
but may instead slow things down on fast networks like internal ones,
and may introduce its own oddities and bugs.
Instructions:
- Set things up as per Recommendations.
- Setup (once only)
- Linux or Mac
On your laptop, install xpra from www.xpra.org.
Linux distributions may have xpra, e.g. on Ubuntu simply use commandsudoaptinstallxpra
In a terminal window on your laptop (Applications>Accessories>Terminal), type commands:
ln -sf ssh-with-2fa ~/bin/xpraterm ln -sf ssh-with-2fa ~/bin/xprasess
- Windows
On your laptop, install xpra from www.xpra.org.
In a command prompt window on your laptop (Start>Programs>Accessories>CommandPrompt) or (Start>Run>cmd), type commands, but replacing MATHSNAME with your login name on the Maths servers:echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xpraterm-helper echo $x=$0; $x=~s,[a-z-]*$,ssh-with-2fa,; $y=`type "$x"`; eval $y > bin\xprasess-helper echo perl "%USERPROFILE%\bin\xpraterm-helper" MATHSNAME@enna > bin\xpraterm.bat echo perl "%USERPROFILE%\bin\xprasess-helper" MATHSNAME@enna > bin\xprasess.bat
Put shortcuts on your Desktop, pointing to xpraterm and xprasess: right-click anywhere in the desktop background, choose New Shortcut, browse to C:\Users\username\bin\xpraterm (or ...\xprasess) and OK.
- Linux or Mac
- How to use (daily)
Use xpraterm if you want a terminal, so you can mix "native" and enna windows e.g. for copy-paste; use xprasess if you want a "desktop" session (though it may be slower than xpraterm).
- Linux or Mac : In a terminal window on your laptop (Applications>Accessories>Terminal) type either command:
xpraterm MATHSNAME@enna xprasess MATHSNAME@enna
where MATHSNAME is your login name on the Maths servers. - Windows : Click the xpraterm or xrpasess icon on your Desktop
To log out and terminate xpraterm or xprasess, in some enna window type commandxpra stop
- Linux or Mac : In a terminal window on your laptop (Applications>Accessories>Terminal) type either command:
Comments about xpra (and other ways to use), for completeness:
On your laptop, in a new terminal (or command prompt) window, use command: This (in a little while, password-less if you had set up public keys as suggested) will show a new xterm window running on enna; use this new xterm to work in/from. When "done", in some enna window use command If you wanted to keep your xpra session "alive", then when "done", do not close the various windows but press ctrl-C where you started xpra. This would leave the "session" running on enna. Later you could re-connect to the xpra session: if outside, log in with skeys and then (on your laptop, in a new terminal window) use or if inside, (in a terminal window on your laptop) use You may have several sessions. To choose, add the number e.g.
Some (Mac?) machines do not know about localhost, then use 127.0.0.1 instead of the name localhost. xpra start ssh/MATHSNAME@localhost:12022 --no-speaker --exit-with-children=yes --start-child=xterm
where MATHSNAME is your login name on the Maths servers.
If doing from inside, then instead you need xpra start ssh/MATHSNAME@enna --no-speaker --exit-with-children=yes --start-child=xterm
xpra stop
or simply close the various windows, and your xpra session will close also. xpra attach ssh/MATHSNAME@localhost:12022 --no-speaker
Some (Mac?) machines do not know about localhost, then use 127.0.0.1 instead of the name localhost. xpra attach ssh/MATHSNAME@enna --no-speaker
and see all your previous windows, as you had left them. xpra attach ssh/MATHSNAME@localhost:12022/7 --no-speaker xpra attach ssh/MATHSNAME@enna/7 --no-speaker
The same syntax could be used with xpra start if you wanted to choose some as-yet-unused one.
Though, I suggest you have just the one xpra session, to enna (not savona etc directly):
xpra list
to show all session numbers, and for each use something like xpra stop 7
Please do this on occasions, not to leave things running forever.
Further reading, random references
en.wikipedia.org/wiki/Perl#Availability
en.wikipedia.org/wiki/Comparison_of_SSH_clients
en.wikipedia.org/wiki/X_Windows#Implementations
https://www.perl.org/get.html
www.openbsd.org/cgi-bin/man.cgi?query=ssh
www.openbsd.org/cgi-bin/man.cgi?query=ssh_config
puttytray.goeswhere.com/
cygwin.com/
x.cygwin.com/
www.starnet.com/products/xwin32/
connectivity.opentext.com/products/exceed.aspx
en.wikipedia.org/wiki/Port_forwarding
help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
expect.sourceforge.net/
www.ora.com/catalog/expect/
blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
arstechnica.com/features/2018/09/macos-10-14-mojave-the-ars-technica-review/12/
discussions.apple.com/thread/251226509
www.unix-ninja.com/p/attacking_google_authenticator
Paul Szabopsz@maths.usyd.edu.au15 Mar 24