From a6d4fae07098546f5d61b32e62b7053946064e9a Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 17 Aug 2022 12:40:46 -0700 Subject: [PATCH] Tune sshd connections settings on test nodes Update the sshd_config on our test nodes to accomodate what appears to be an increase in ssh scanner traffic. In particular LoginGraceTime defaults to 120 seconds. We reduce that to 30 seconds to cycle connections more quickly. Then we also increase the maximum number of connection startups to 30 from the default of 10. We also reduce the random fail rate from 30% to 10% between 31 and 100 connections. I'm not entirely certain this will fix things, but based on what we've seen from logs it may be what we need to make ssh to test nodes more reliable. Change-Id: Ifacf7d00de157ab2fb60cde990f0b49f03f71415 --- .../infra-package-needs/post-install.d/89-sshd | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/nodepool/elements/infra-package-needs/post-install.d/89-sshd b/nodepool/elements/infra-package-needs/post-install.d/89-sshd index 46cc60f68e..0f1b37446a 100755 --- a/nodepool/elements/infra-package-needs/post-install.d/89-sshd +++ b/nodepool/elements/infra-package-needs/post-install.d/89-sshd @@ -31,3 +31,16 @@ sed -i -e'/PermitRootLogin/d' /etc/ssh/sshd_config \ # unnecessary password auth. sed -i -e '/PasswordAuthentication/d' /etc/ssh/sshd_config \ && echo "PasswordAuthentication no" >> /etc/ssh/sshd_config + +# NOTE(clarkb): SSH scanners may be affecting Zuul ssh connectivity +# Default LoginGraceTime is 120. Reduce that to 30 to cycle connections more +# quickly. +sed -i -e '/LoginGraceTime/d' /etc/ssh/sshd_config \ + && echo "LoginGraceTime 30" >> /etc/ssh/sshd_config + +# NOTE(clarkb): SSH scanners may be affecting Zuul ssh connectivity +# Default MaxStartups is 10:30:100 which means after 10 unauthenticated +# connections randomly drop 30% of connections with an increasing +# percentage until 100 connections is reached. +sed -i -e '/MaxStartups/d' /etc/ssh/sshd_config \ + && echo "MaxStartups 30:10:100" >> /etc/ssh/sshd_config