Join Log in
Score:0
avatar Server

How to force Linux users to respect max login rate

mu flag
EdwardTeach

How does one set a rate-based throttle and/or quota for SSH logins per user on a shared system? For example: limit an SSH login to one time per 10 seconds.

Things I've looked at:

  • pam throttle and throttle2, but those look for failed logins and then throttle. I instead want to look for successful logins and then throttle.
  • fail2ban, but that blocks IPS/ranges as opposed to users, which does not help me here. (EDITED to note IP vs user blocks)
85
0 + 0
ssh
John Hanley avatar
cn flag
John Hanley
An SSH login every two seconds would not kill a server unless it is already overloaded. In other words, focus on the best problems to solve. Make sure you are actually benefiting everyone by trying to block a script. I suggest you have a meeting with the person responsible for the script to choose a more manageable solution. Blocking a script that provides a valuable service might be the wrong direction. No matter which direction you choose, each method will have a CPU cost (cost to log in, cost to monitor traffic to block logins).
0
Reply
mu flag
EdwardTeach
@JohnHanley thanks for your comment. You are right, talking to a problem user is a good first course of action. That said I was very interested to notice that I could find no generalized throttling information for SSH, save for failed logins/fail2ban type situation. I am wondering how this is done for large-scale shared hosting providers. Are there any guides like this? I have edited the question to generalize accordingly, and de-emphasize my specific current symptoms.
0
Reply
John Hanley avatar
cn flag
John Hanley
In development, I often do things like SSH login over and over. I have never been throttled or rate limited for valid connections at any vendor. As I mentioned, successful logins every two seconds consume a small amount of total CPU time - apx 10 ms on modern i7 type CPUs. IHMO, you are worried about a problem that might not need to be solved thru rate limiting. Failed connections are a different matter.
0
Reply
Kenji Noguchi avatar
cn flag
Kenji Noguchi
This is a valid question. My hosting service has a large number of customers. Occasionally there are customers with misconfigured script that do hundreds of successful logins per second.
0
Reply
Score:2
avatar Server
jp flag
AlexD

fail2ban allows custom filters and custom actions. You can create a custom filter to parse appropriate logs for successful ssh login with appropriate action.

You can find many examples of different filters in /etc/fail2ban/filter.d/ and many examples of different actions in /etc/fail2ban/action.d/

If you don't want to use IP blocking then you can lock a user account with passwd -l username. Or you can create a script /bin/sshratelimit which prints some strongly worded warning and set this script as the user's shell.

0 + 0
mu flag
EdwardTeach
Thanks for your answer! I was under the impression that fail2ban only does IP based blocking/firewall control. I can't find any info about blocking/unblocking accounts. Am I missing something? I'll also clarify the question to note that IP blocking won't work in my case.
0
Reply
jp flag
AlexD
@EdwardTeach I have updated the answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.