[Bug 3211] DDoS attack by using ssh-keyscan
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Mar 12 15:02:15 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3211
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
In 8.5 we added PerSourceMaxStartups and PerSourceNetBlockSize which
allow limiting startups by source address, optionally grouping nearby
addresses into blocks:
PerSourceMaxStartups
Specifies the number of unauthenticated connections
allowed from
a given source address, or "none" if there is no limit.
This
limit is applied in addition to MaxStartups, whichever is
lower.
The default is none.
PerSourceNetBlockSize
Specifies the number of bits of source address that are
grouped
together for the purposes of applying PerSourceMaxStartups
limits. Values for IPv4 and optionally IPv6 may be
specified,
separated by a colon. The default is 32:128, which means
each
address is considered individually.
If you set PerSourceMaxStartups to something lower that MaxStartups it
will prevent any single address (or block of address if you set
PerSourceNetBlockSize) from tying up all of the startups.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list