- Committer: Peter Müller
- Date: 2022-04-23 14:27:56 UTC
- Revision ID: git-v1:7a981d94cb2c3e48ecaf07c506c8353a2c839d79
SSH: do not send spoofable TCP keep alive messages
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 ..
|
|||||||
acpid
|
3315 | 12 years ago | Michael Tremer | acpid: Forgot to commit config data. |
|
||
|
avahi
|
6491 | 6 years ago | Michael Tremer | Revert "avahi: Drop package" This reverts commit |
|
||
|
backup
|
637 | 17 years ago | maniacikarus | Korrekturen im IDS System Division by 0 in den gra |
|
||
|
bash
|
3433 | 12 years ago | Michael Tremer | Import bash startfiles from IPFire 3.x. |
|
||
|
bind
|
4428 | 10 years ago | Dirk Wagner | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
ca-certificates
|
4742 | 9 years ago | Arne Fitzenreiter | Merge branch 'master' into next |
|
||
|
calamaris
|
471 | 17 years ago | ms | Calamaris-Proxy-Logdatei-Analyzer eingebaut. git |
|
||
|
cdrom
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
cfgroot
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
clamav
|
505 | 17 years ago | ms | Einige Fixes fuer den Paketmanager. ISA PnP aus Ke |
|
||
|
client175
|
2701 | 14 years ago | Arne Fitzenreiter | Merge branch 'master' of ssh://arne_f@git.ipfire.o |
|
||
|
collectd
|
1004 | 17 years ago | maniacikarus | Corrected guardian build lcd4linux startet integra |
|
||
|
cron
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
cups
|
976 | 17 years ago | ms | Made cups accessable. git-svn-id: http://svn.ipf |
|
||
|
cyrus-sasl
|
963 | 17 years ago | ms | Typo in compilation commands of postfix. Now it wo |
|
||
|
dehydrated
|
6674 | 6 years ago | Michael Tremer | dehydrated: New package This is a light client fo |
|
||
|
dhcpc
|
4937 | 9 years ago | Arne Fitzenreiter | Merge branch 'master' into next |
|
||
|
dma
|
4801 | 9 years ago | Michael Tremer | dma: Add script that cleans up stale emails in the |
|
||
|
dracut
|
4436 | 10 years ago | Dirk Wagner | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
elinks
|
1058 | 16 years ago | arne_f | Addon: elinks (www-browser for textconsole) git- |
|
||
|
etc
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
etc-aarch64
|
8767 | 3 years ago | Michael Tremer | Install sysctl.conf only on those architectures wh |
|
||
|
etc-armv6l
|
8893 | 3 years ago | Arne Fitzenreiter | switch arm 32 bit arch from armv5tel to armv6l we |
|
||
|
etc-x86_64
|
8767 | 3 years ago | Michael Tremer | Install sysctl.conf only on those architectures wh |
|
||
|
extrahd
|
395 | 18 years ago | ms | ExtraHD! Die Erweiterung um Festplatten schnell ei |
|
||
|
findutils
|
4431 | 10 years ago | Dirk Wagner | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
firewall
|
3989 | 11 years ago | Alexander Marx | Firewall: renamed /config/forwardfw to config/fire |
|
||
|
flash-images
|
6214 | 6 years ago | Arne Fitzenreiter | Merge branch 'kernel-4.14' into next |
|
||
|
freeradius
|
7338 | 5 years ago | Arne Fitzenreiter | Merge branch 'next' |
|
||
|
fstrim
|
3552 | 12 years ago | Arne Fitzenreiter | fstrim: add daily cronjob. |
|
||
|
fwhosts
|
3884 | 11 years ago | Michael Tremer | Merge remote-tracking branch 'amarx/firewall' into |
|
||
|
gnump3d
|
946 | 17 years ago | ms | Made the gnump3d working out of the box... git-s |
|
||
|
grub2
|
4436 | 10 years ago | Dirk Wagner | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
guardian
|
691 | 17 years ago | maniacikarus | Guardian Paket angefangen, zum Testen muss Snort f |
|
||
|
haproxy
|
4482 | 9 years ago | Michael Tremer | haproxy: New package |
|
||
|
hostapd
|
1182 | 16 years ago | Christian Schmidt | Merge branch 'rspezial' Conflicts: config/rootf |
|
||
|
httpd
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
icinga
|
4419 | 10 years ago | Dirk Wagner | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
include
|
3442 | 12 years ago | Arne Fitzenreiter | linux-headers: use kernel 3.2.x headers. |
|
||
|
initrd
|
2701 | 14 years ago | Arne Fitzenreiter | Merge branch 'master' of ssh://arne_f@git.ipfire.o |
|
||
|
iptraf-ng
|
8363 | 4 years ago | Arne Fitzenreiter | Merge branch 'next' |
|
||
|
kernel
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
lcdproc
|
3696 | 11 years ago | Arne Fitzenreiter | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
lib
|
4450 | 10 years ago | Michael Tremer | Merge branch 'master' into next Conflicts: make. |
|
||
|
libid3tag
|
8775 | 3 years ago | Michael Tremer | Merge branch 'next' |
|
||
|
libvirt
|
7536 | 5 years ago | Arne Fitzenreiter | Merge branch 'next' Signed-off-by: Arne Fitzenrei |
|
||
|
logwatch
|
388 | 18 years ago | ms | MoBlock hinzugefuegt (fuer Outgoing Firewall) gi |
|
||
|
lua
|
8775 | 3 years ago | Michael Tremer | Merge branch 'next' |
|
||
|
menu
|
393 | 18 years ago | ms | Credits ueberarbeitet. Menue Rewrite Connectionche |
|
||
|
minidlna
|
3292 | 12 years ago | Michael Tremer | Merge remote-tracking branch 'origin/next' into gl |
|
||
|
monit
|
4448 | 10 years ago | Alexander Marx | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
mpfire
|
625 | 17 years ago | maniacikarus | MPFire hinzugefügt - CGI mpg123 Frontend Hardwareg |
|
||
|
netpbm
|
1071 | 16 years ago | arne_f | deleted empty collectd rootfile added netpbm (pnmt |
|
||
|
netsnmpd
|
1989 | 15 years ago | Peter Pfeiffer | add new changed files for netsnmpd |
|
||
|
nginx
|
3614 | 12 years ago | Michael Tremer | Merge remote-tracking branch 'trikolon/next' into |
|
||
|
ntp
|
8381 | 4 years ago | Arne Fitzenreiter | Merge branch 'next' into master Signed-off-by: Ar |
|
||
|
oinkmaster
|
7005 | 5 years ago | Michael Tremer | Merge remote-tracking branch 'stevee/next-suricata |
|
||
|
ovpn
|
128 | 18 years ago | ms | Hinzugefügt: * OpenVPN GUI Alpha7 Geändert: * |
|
||
|
pmacct
|
8775 | 3 years ago | Michael Tremer | Merge branch 'next' |
|
||
|
profile.d
|
373 | 18 years ago | ms | Bashpromt erweitert und FTP Upload wieder funktion |
|
||
|
proxy
|
524 | 17 years ago | maniacikarus | Proxy.cgi von den IPCop Error Pages befreit, da ni |
|
||
|
qemu
|
4610 | 9 years ago | Arne Fitzenreiter | qemu: update to 2.3.0 |
|
||
|
qos
|
173 | 18 years ago | ms | Hinzugefügt: * Fehlende Grafik. * QoS-Script, |
|
||
|
rootfiles
|
292 | 18 years ago | ms | Hinzugefuegt: * Net-Tools * Inetutils * Ed |
|
||
|
rpi-firmware
|
3342 | 12 years ago | Arne Fitzenreiter | rpi: updated firmware and patchset. |
|
||
|
samba
|
438 | 17 years ago | maniacikarus | colours.txt ins Theme Verzeichnis geschoben, daher |
|
||
|
sarg
|
3498 | 12 years ago | Arne Fitzenreiter | Merge remote-tracking branch 'origin/next' into th |
|
||
|
shadow
|
5353 | 8 years ago | Michael Tremer | shadow-utils: Create standard set of configuration |
|
||
|
squidclamav
|
1099 | 16 years ago | Maniacikarus | Fixed authentication not working when using proxy |
|
||
|
ssh
|
6574 | 6 years ago | Michael Tremer | add hardened SSH client configuration Introduce a |
|
||
|
ssl
|
2 | 19 years ago | ipfire | git-svn-id: http://svn.ipfire.org/svn/ipfire/IPF |
|
||
|
strongswan
|
4455 | 10 years ago | Michael Tremer | strongswan: Create configuration for better intero |
|
||
|
stunnel
|
4415 | 10 years ago | Dirk Wagner | Merge branch 'next' of ssh://git.ipfire.org/pub/gi |
|
||
|
suricata
|
7005 | 5 years ago | Michael Tremer | Merge remote-tracking branch 'stevee/next-suricata |
|
||
|
syslinux
|
344 | 18 years ago | ms | Graphen gefixt. Bootlogo zur Iso hinzugefuegt. Mem |
|
||
|
sysstat
|
459 | 17 years ago | ms | Wir kehren zurueck zu Kudzu, da hwinfo noch mehr A |
|
||
|
time
|
2717 | 14 years ago | Arne Fitzenreiter | ntp: new enabled at default Fix ipfire ntp server |
|
||
|
tor
|
3805 | 11 years ago | Michael Tremer | tor: New package. |
|
||
|
transmission
|
3045 | 13 years ago | Arne Fitzenreiter | transmission: New package. |
|
||
|
u-boot
|
3136 | 12 years ago | Arne Fitzenreiter | u-boot: update to 2011.12 and build MLO + bin for |
|
||
|
udev
|
1088 | 16 years ago | arne_f | added DVB Hardware modules to core12 added VideoDi |
|
||
|
unbound
|
5297 | 8 years ago | Michael Tremer | Merge branch 'unbound' into next |
|
||
|
updxlrator
|
396 | 18 years ago | ms | Updatexlrator (not tested yet) git-svn-id: http: |
|
||
|
urlfilter
|
161 | 18 years ago | ms | Hinzugefügt: * URL-Filter git-svn-id: http://s |
|
||
|
vdr
|
1091 | 16 years ago | arne_f | add vdr streamdev-plugin git-svn-id: http://svn. |
|
||
|
vdradmin
|
1618 | 15 years ago | Arne Fitzenreiter | Change vdradmin istallation part 1 |
|
||
|
vim
|
3962 | 11 years ago | Michael Tremer | vim: Update to 7.4. |
|
||
|
w_scan
|
3448 | 12 years ago | Arne Fitzenreiter | w_scan: add new w_scan_start skript. |
|
||
|
wpa_supplicant
|
1182 | 16 years ago | Christian Schmidt | Merge branch 'rspezial' Conflicts: config/rootf |
|
||
|
xinetd
|
3850 | 11 years ago | Michael Tremer | xinetd: New package. |
|
||
|
xtables-addons
|
4549 | 9 years ago | Michael Tremer | Merge remote-tracking branch 'stevee/core-90-geoip |
|
||
|
zabbix_agentd
|
6977 | 5 years ago | Michael Tremer | zabbix_agentd: New addon New addon for monitoring |
|
||