Protecting an SSH Service Using HAProxy

Before we get started, let's confirm that our SSH service is working.

• Check our containers using podman
• Try pulling a file from our SSH container, directly, on the HAProxy server, using scp:
  • StrictHostKeyChecking=no
  • UserKnownHostsFile=/dev/null
  • port=2223
  • [email protected]
  • file: /sshfiles/ssh-test.txt

Securing Our SSH Service Using HAProxy

In order to secure our SSH service, we need to add a frontend and a backend to /etc/haproxy/haproxy.cfg.

Let's make some changes to our /etc/haproxy/haproxy.cfg file

• Add a frontend for SSH named ssh-in:

  • bind port 2222 to all addresses
  • tcp mode
  • use the sshd1 backend

• Add a backend for SSH named sshd1:

  • tcp mode
  • one server, sshd1-server1
    • localhost, port 2223
    • add a check for it

• Restart the haproxy service

• Try pulling a file from our SSH container, via HAProxy, on the HAProxy server, using scp

  • StrictHostKeyChecking=no
  • UserKnownHostsFile=/dev/null
  • port=2222
  • [email protected]
  • file: /sshfiles/ssh-test.txt

Running Some Basic Tests

Before we get started with protecting our sites with HAProxy, let's take a look at what a stock HAProxy configuration looks like when presented with a large number of requests.

We'll open our web browser, connect to port 8050 on our public IP/DNS, and go get the stats information for our HAProxy installation.

Let's generate some SSH traffic on our local HAProxy host.

• Use a for loop to launch 1000 scp operations
  • Put each in the background
  • Try pulling a file from our SSH container, via HAProxy, on the HAProxy server, using scp:
    • StrictHostKeyChecking=no
    • UserKnownHostsFile=/dev/null
    • port=2222
    • [email protected]
    • file: /sshfiles/ssh-test.txt

We can see traffic moving through our ssh-in frontend and sshd1 backend. We're ready to start setting some boundaries on SSH connections.

Setting Some SSH Restrictions

We just dropped 1,000 SSH connections on our SSH service in short order. Even though our service has no problem handling that from a single client, it's not a normal use case. We'd like to set some connection restrictions on our SSH service, so it can't be overwhelmed by a single client.

We're going to create a new backend to hold a stick-table to track SSH connections by client, named ssh_per_ip_connections:

• type ip
• size 1m
• expire 1m
• store
  • conn_cur
  • conn_rate(1m)

We'll add the following to our SSH frontend: Use the TCP log format, set a 1 minute client timeout, and track our SSH connections in the ssh_per_ip_connections stick-table we created. We'll reject connections over 2 per client or if there are more than 10 connections in the span of 1 minute.

Testing Our SSH Restrictions

Now that we've set some boundaries on SSH connections, let's test our work!

Before we proceed, let's restart the haproxy service to pick up our configuration changes and reset our statistics.

Let's generate some SSH traffic on our local HAProxy host

• Use a for loop to launch 1000 scp operations
  • Put each in the background
  • Try pulling a file from our SSH container, via HAProxy, on the HAProxy server, using scp
    • StrictHostKeyChecking=no
    • UserKnownHostsFile=/dev/null
    • port=2222
    • [email protected]
    • file: /sshfiles/ssh-test.txt

Looking at the HAProxy stats web interface using a web browser, we can see that 2 connections succeeded, and 998 failed. Things are working!

Let's give our HAProxy server a minute to recover, then try some serial SSH connections.

• Try pulling a single file from our SSH container, via HAProxy, on the HAProxy server, using scp
  • StrictHostKeyChecking=no
  • UserKnownHostsFile=/dev/null
  • port=2222
  • [email protected]
  • file: /sshfiles/ssh-test.txt

Repeating this, one scp at a time, until we are blocked, we can go until we hit our rate limit of 10 sessions per minute. Our SSH service is protected!