(from) https://kr.godaddy.com/help/how-to-set-an-ssh-timeout-12300
How to set an SSH timeout
Setting a distinct timeout period for SSH connections on your server is an important and simple step to maintaining both server stability and security. The common SSH daemon tool found on most Linux distributions makes this process easy to handle and additional shell settings even offer the ability to disconnect idle users if necessary.
| DIFFICULTY | Basic - 1 | Medium - 2 | Advanced - 3 |
| TIME REQUIRED | 10 min |
| RELATED PRODUCTS | Linux-based VPS or dedicated servers Linux-based shared hosting |
Managing Server-side SSH Timeouts
To easily handle disconnected or even idle clients connected via SSH to your server, you'll want to look at the problem from two angles: ClientAlive and shell TMOUT.
Configuring SSH ClientAlive Settings
When a client remotely connects via SSH to your (properly configured) Linux-based server, the server will execute a series of KeepAlive requests to connected clients at designated intervals. Upon each execution, the server sends a packet to the client to verify that the client connection is still valid and functional. Should this KeepAlive packet exchange ever fail the server can automatically sever that connection. To ensure your server terminates any SSH clients that do not respond properly you must edit your sshd_config file. For most distributions the sshd_config is located in the /etc/ssh directory, but if necessary you can always locate it with a quick find:
/etc/ssh/sshd_config
/usr/share/doc/openssh-client/examples/sshd_config
To begin, open the sshd_config file in your favorite text editor (such as vim or nano – we're using nano here):
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
...
There are three settings you should locate — or add if necessary — in your sshd_configfile:
ClientAliveCountMaxClientAliveIntervalTCPKeepAlive
Below are the default settings for most SSH daemon installations:
ClientAliveInterval 0
TCPKeepAlive yes
ClientAliveInterval determines how frequently an encrypted (and therefore difficult-to-spoof). TCPKeepAlive packet is transmitted to the client (in seconds). This setting works in tandem with ClientAliveCountMax, which determines how many KeepAlive packets will be transmitted to the client with no response before the connection is terminated.
With a default setting of zero seconds for the ClientAliveInterval, most SSH daemon installations will not transmit these TCPKeepAlive packets.
You can easily enable ClientAlive packet transmission by altering or changing these settings in your sshd_config file. For example, to send a maximum of 4 packets at an interval of 15 seconds apart, add these lines to the sshd_config file:
ClientAliveInterval 15
The third setting of TCPKeepAlive behaves similarly to the ClientAliveCountMax and ClientAliveInterval duo, except TCPKeepAliveuses unencrypted packets (sent over the TCP protocol) to verify that clients are still connected.
Enabling TCPKeepAlive ensures that there will not be any "ghost" client connections to your server that may consume resources. On the other hand, if there are any temporary internet hiccups that may sever the connection between an SSH-connected client and your server, the TCPKeepAlive protocol may disconnect that user.
To enable (or disable) TCPKeepAlive, set the value in the sshd_config file to either yes or no:
TCPKeepAlive yes
As usual after making any changes to your sshd_config file, be certain to save the file then restart your SSH daemon:
Disconnecting Idle SSH Clients
While the use of the ClientAlive and TCPKeepAlive settings in your sshd_config will handle any connections that were improperly severed, that has no impact on SSH client connections that are simply idle for a lengthy period of time. If security is paramount, you may wish to sever idle SSH connections to your server.
For most Linux distributions, disconnecting an idle client can be easily handled using the TMOUT bash setting within your bashrc file. Since you'll likely want to specify settings that apply to all users, you should edit the /etc/bash.bashrc file (for user-specific settings open ~/.bashrc instead):
# System-wide .bashrc file for interactive bash(1) shells.
# To enable the settings / commands in this file for login shells as well,
# this file has to be sourced in /etc/profile.
...
To add an idle client disconnection, simply add the following to the end of the bash.bashrc file:
readonly TMOUT
export TMOUT
The TMOUT setting is the number of seconds a client can be connected and idle before a timeout is detected and the connection is dropped by the server. You can use a fairly small value at first to test your settings, but a reasonable value should be used in production.
Once the settings are changed and bash.bashrc has been saved, you may now open a new SSH connection with your server and wait. After your set TMOUT period has elapsed your connection will be severed:
Wed Oct 15 03:09:41 EDT 2014
account@ubuntu:~# ssh root@123.123.456.78
root@Main:~# date
Wed Oct 15 03:09:47 EDT 2014
root@Main:~# timed out waiting for input: auto-logout
Connection to 123.123.456.78 closed
account@ubuntu:~# date
Wed Oct 15 03:14:53 EDT 2014
Following these basic practices will ensure increased security and stability for all SSH connections to your server.
'Engineering > __00. Linux' 카테고리의 다른 글
| [Ubuntu] system boot problem (0) | 2017.04.24 |
|---|---|
| [NFS RPC] (0) | 2017.02.22 |
| [LVM] LVM 관련 (0) | 2016.06.09 |
| [MAN] ip command (0) | 2016.04.20 |
| /proc/sys/net/ipv4/* Variables: (0) | 2016.04.20 |