13

I would like to be able to limit SSH bandwidth on my server. I.e. each sshd process should be limited to 200Kb/s or something like that.

scp has this functionality, but ssh, being more designed for responsive interactive use, doesn't seem to have this option. I however, would like to combine the -D (SOCKS proxy) functionality with some ability to somehow limit traffic.

Are there any options for this at all?

user10640
  • 231
  • 1
  • 2
  • 5
  • Are you looking to do this on the SSH server, or is it Ok to do it on a firewall between the two machines? – Mark Henderson Jun 29 '09 at 05:01
  • I'd really rather do this on the server, since I don't have access to the firewall. – user10640 Jun 29 '09 at 05:08
  • If you are happy doing this on the client, try the command line utility 'drizzle'. – Alex J Jun 29 '09 at 08:07
  • While the drizzle command looks useful, I ultimately can't trust users to run it. Looks like I'm stuck looking at something a bit more complicated than I hoped for :P. Thanks everybody! – user10640 Jul 08 '09 at 15:08

5 Answers5

4

I'm not sure if trusting users is part of the equation, but trickle is very handy for limiting the speed of a given command. When I upload packages from home, the WoW-addict roommates notice when I forget something like that, since it pretty much dominates the pipe.

jldugger
  • 14,122
  • 19
  • 73
  • 129
  • 1
    Trickle can run as a daemon to and manage total bandwidth for multiple commands on the same machine. Handy when you want to set off a bunch of otherwise independent transfer operations at the same time but want them to use no more than a set data rate in total. – David Spillett Jun 29 '09 at 07:59
  • 1
    Unfortunately, I don't think that'll help me with sshd -- it forks off new sshds as new connections come in. I might be stuck with some firewall level solution, which will be a bit more tricky to implement. – user10640 Jun 30 '09 at 02:09
  • 1
    wtf why is this the top answer? `trickle` doesn't work with any process that forks. That includes sshd! – Navin Sep 17 '17 at 06:52
2
scp -l 8192 file.txt user_name@111.111.1.11:/tmp
//8192  = 8192 KB per second

I know this thread is quite old, but hope this will help someone.

Hiroki
  • 137
  • 2
  • 1
    It's annoying that two people have downvoted your answer without at least commenting. I'm presuming it's because `scp` is a rather specific use case of ssh. I've tested `scp -l` and it works, although note that it's kilobits (kb) per second, and not kilobytes (kB). – mwfearnley Jan 02 '19 at 13:09
1

There are a few options.

A common one is to implement QoS on Port 22 on a firewall/router between the server and the clients.

If they are on the same local network (i.e. no routers or firewalls between them), I believe you can use IPTables to limit bandwidth to port 22... Have a look here for more information on how to do this.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 1
    You need to be careful using iptables' rate limiter with a service like ssh, because "It is important to observe that rate limiting is conceptually different from bandwidth throttling/limiting; a bandwidth-throttled connection will queue packets and limit the rate at which they are transmitted/received. Rate limiting will not do this; when you use rate limiting on, for example, incoming TCP connection attempts to your identd, and connections exceeding the specified limit will be denied; *there is no queueing of packets*." – msanford Jun 29 '09 at 05:20
  • Hmmm goood point – Mark Henderson Jun 29 '09 at 06:46
1

It would be worth looking into implementing HTB traffic shaping using tc. My solution to a simular problem was to use the htb.init script found at http://sourceforge.net/projects/htbinit/

I set it up based on limiting traffic from port 22, but you can also use iptables to mark/mangle the packets which are then processed based on the mark.

Steve
  • 11
  • 1
0

You could look at something like iprelay:

User-space bandwidth shaping TCP proxy daemon
iprelay can shape the TCP traffic forwarded through it to a specified
bandwidth and allow this bandwidth to be changed on-the-fly. Multiple
data streams to different sockets may be shaped to the same total
bandwidth, much like a traffic shaping router would. However, this
application runs in user space, and works by acting as a TCP proxy.
rkthkr
  • 8,503
  • 26
  • 38