Limiting number of ssh connections per user

[NuLL3rr0r]

Hi Folks,

I need to limit number of ssh connections per user. I found a way that specific to Linux:
SSH limit number of simultaneous logins attempts for each user


/etc/security/limits.conf

user         hard    maxlogins       2

Is there such a thing in FreeBSD to limit user logins??

 

[NuLL3rr0r]

I just used a hack to get the job done, and I'm getting closer to what I want; maybe it's useful for someone else, then I post it here.

I wrote a small C++ program to see if the user is logged in or not, if found more than one user logged in, I'll kill the user.

#include <iostream>
#include <string>

using namespace std;

string Exec(const char *cmd);
void ReplaceAll(string& str, const string& from, const string& to);

int main(int argc, char **argv, char **envp) {
        string whoami, users;
        size_t found;
        size_t pos1, pos2;

        whoami = Exec("whoami");
        users = Exec("who");

        ReplaceAll(whoami, "\n", "");

        pos1 = users.find(whoami.c_str());
        pos2 = users.rfind(whoami.c_str());

        if (pos1 != pos2) {
                cout << endl
                        << "  * Too many logins for " + whoami
                        << endl
                        << "  * Forcing logout..."
                        << endl
                        << endl
                        << endl;

                char command[100];
                sprintf(command, "pkill -9 -U %d '.*'", getuid());
                system(command);
        }

        return 0;
}

string Exec(const char *cmd) {
        FILE *pipe = popen(cmd, "r");
        if (!pipe)
                return "3rr0r";

        char buffer[128];
        string result = "";
        while (!feof(pipe)) {
                if (fgets(buffer, 128, pipe) != NULL)
                        result += buffer;
        }

        pclose(pipe);
        return result;
}

void ReplaceAll(string& str, const string& from, const string& to) {
    size_t start_pos = 0;
    while((start_pos = str.find(from, start_pos)) != string::npos) {
        size_t end_pos = start_pos + from.length();
        str.replace(start_pos, end_pos, to);
        start_pos += to.length();
    }
}

Then compiled using
[CMD=""]g++ -O2 -march=native -o /home/sshcheck sshcheck.cpp[/CMD]
and
[CMD=""]chmod a+x /home/sshcheck[/CMD]
To be sure it's executable by all users

Then for each user

echo "../sshcheck" >> /home/user/.shrc
echo "../sshcheck" >> /home/user/.cshrc
chown root:wheel /home/user/.shrc
chown root:wheel /home/user/.cshrc
chmod 0600 /home/user/.shrc
chmod 0600 /home/user/.cshrc

Bingo! It works! But there's just one little problem. It shows the message to new logged in user, but killed the first user who is logged in already.

 

[SirDice]

The user can overide your settings by removing or editing .cshrc or .shrc. Don't think that setting those to root-owned will help. Since the user is the owner of the home directory they can overrule those settings.

I also fail to see why it would be a problem if users login more than two times.

 

[NuLL3rr0r]

Thanks for the tip.

They are not power users, they are just some artists and know nothing about Unix, They just use SSH Tunneling for their web browsing. (By the way good tip.)

I limit them because the bandwidth of the VPS is limited and some users violate the rules and share their accounts with others. And boooom suddenly the network performance drops. (I checked the logged on users and some users logged in 5 times at the same time.)

 

[SirDice]

I limit them because the bandwidth of the VPS is limited and some users violate the rules and share their accounts with others. And boooom suddenly the network performance drops. (I checked the logged on users and some users logged in 5 times at the same time.)

There's a simple solution for that. Remove the accounts. Abuse it, you lose it.

 

[DutchDaemon]

Also known as an Acceptable Use Policy (AUP) or Terms of Contract (ToC). You're powerless without one.

 

[silverglade00]

Instead of punishing the behavior, you could make it a value add. Two logins max initial, $20 a month each additional login.

 

[l2f]

ipfw to the rescue

Hello,

Use ipfw on port 22 with the limit parameter (ipfw(8)).

l2f

 

[NuLL3rr0r]

@l2f

Thank you so much, I knew someone would come up with that.

I see the usage in man page.

 limit {src-addr | src-port | dst-addr | dst-port} N
	     The firewall will only allow N connections with the same set of
	     parameters as specified in the rule.  One or more of source and
	     destination addresses and ports can be specified.	Currently,
	     only IPv4 flows are supported.

But I'm not very familiar with ipfw.conf rules.

For example let's say we run SSH on port 9423 instead of 22, and the VPS address is AAA.BBB.CCC.DDD. And also users does not login from the same IP address each time (Work, Home, etc). (Is it possible to use wildcards for src and dst addresses?)

Would you please provide me an example?

 

[NuLL3rr0r]

@SirDice
@DutchDaemon
@silverglade00

Thank you for your suggestions, but I'm not selling anything.

At work my colleagues are using VPN to connect to the Internet. Each one of them paid for their accounts. I suggested a better solution to them: a FreeBSD VPS, and explained about how SSH is better than PPTP VPNs. Also usable day to day tools like FTP, cclive, RapidLeech, PH-PROXY, etc, and also running a VPN daemon side by side together with SSH Tunneling if they need VPN too. All those things without paying extra money, they sum up their money to buy a VPS.

Since all of them came from a Windows background, they requested me to configure and manage their VPS. I'm not the landlord ;-) by the way. And they all paid for that. That is why I can't use your suggestions.

If it was mine I never shared it with anyone, at any cost