Call for testing: openssh-9.8
Chris Rapier
rapier at psc.edu
Tue Jun 25 05:05:43 AEST 2024
On 6/18/24 6:40 PM, Damien Miller wrote:
> On Tue, 18 Jun 2024, Chris Rapier wrote:
>
>> Just curious, has this been tested at scale? I see that there are, by
>> default, a maximum number of hosts it can track (default of 64k it
>> seems). At that point I think one of two things happen - sshd stops
>> allowing all connections until some of the banned IPs age out (with
>> the exception of those IPs on an approved list) or it drops banned
>> IPs from the head. I'm just wondering what happens in the event of a
>> sustained attack from, say, a large botnet with more than 64K hosts.
>>
>> I think this is a good idea if people aren't using fail2ban but
>> being that this is a relatively impactful change that could,
>> unintentionally, lock out valid users (especially in attack scenarios)
>> I'm somewhat hesitant to deploy in production without understanding
>> this mechanism and testing results in a little more detail if
>> available.
>
> I suggest reading the documentation then:
> https://man.openbsd.org/sshd_config.5#PerSourcePenalties
I read the documentation and the source code which I why I brought this
up. What I was really looking for was the results of any testing in
large scale attack scenarios. If that's not available that's fine. I
just don't want to repeat work that's already been done.
Chris
More information about the openssh-unix-dev
mailing list