How to disable rate limit on SSH connections in UFW?

1

I've got a dev server to which I constantly sync my code using rsync. To secure the dev server a bit more I now activated UFW, which seems to work fine. The problem is that it works a bit too well, because I now often get an error while trying to sync, being:

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at /SourceCache/rsync/rsync-45/rsync/io.c(453) [sender=2.6.9]

According to this blogpost the problem is that UFW sets a "rate limit" on SSH connections; if you make an SSH connection attempt more than X times in 30 seconds, it will shut you out for a while. This is of course awesome to block out unwanted people, but I want to

  • either disable this for specific IP addresses,
  • or disable it for successful connection attempts (i.e. only let this rate limit work for unsuccessful attempts).

The blogpost which I link to above doesn't come up with a solution for UFW, but simply replaced UFW with ip-tables. Since I need to spend my time getting some programming done, I don't really want to spend my time learning ip-tables. So I was wondering whether anybody here knows how to get this working with UFW? All tips are welcome!

kramer65

Posted 2015-02-17T18:50:48.533

Reputation: 1 335

Answers

2

Not a UFW solution, but you may be able to use ssh multiplexing to reduce the number of SSH connections that you're making. The SSH protocol permits multiple independent streams to run through the same TCP connection, and the OpenSSH ssh program permits one process to use multiplexing to piggyback on a connection opened by another process.

The usual advantage of this is that the connection only has to authenticate once, so later streams can skip that step. In your case, UFW should see it as a single already-connected stream, instead of multiple connections that it might want to rate-limit.

This page has a good description of how to set up multiplexing and how to manage connections. Basically, you'd add something like this to your ~/.ssh/config file:

Host name-of-rsync-server
    ControlPath ~/.ssh/controlmasters/%r@%h:%p
    ControlMaster auto
    ControlPersist 10m

When you run a copy of ssh--or in your case, run rsync which runs ssh for you--it'll look for a socket at the ControlPath which it can use to talk to an existing ssh instance (the "control master") which has a connection open to the rsync server. If that works, the two processes will work together to run the new ssh session through the existing TCP connection. Otherwise, the ssh instance will open a new TCP connection to the rsync server, and it'll become a control master for other ssh instances.

Kenster

Posted 2015-02-17T18:50:48.533

Reputation: 5 474

Asked: 2015-02-17T18:50:48.533

Viewed: 1 097 times

Active: 2015-02-19T12:50:05.547