Call for testing: openssh-9.8
Chris Rapier
rapier at psc.edu
Wed Jun 19 00:07:41 AEST 2024
On 6/17/2024 22:46, Damien Miller wrote:
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * sshd(8): add the ability to penalise client addresses that, for
> various reasons, do not successfully complete authentication.
> sshd(8) will now identify situations where the session did not
> authenticate as expected. These conditions include when the client
> repeatedly attempted authentication unsucessfully (possibly
> indicating an attack against one or more accounts, e.g. password
> guessing), or when client behaviour caused sshd to crash (possibly
> indicating attempts to exploit sshd).
Just curious, has this been tested at scale? I see that there are, by
default, a maximum number of hosts it can track (default of 64k it
seems). At that point I think one of two things happen - sshd stops
allowing all connections until some of the banned IPs age out (with the
exception of those IPs on an approved list) or it drops banned IPs from
the head. I'm just wondering what happens in the event of a sustained
attack from, say, a large botnet with more than 64K hosts.
I think this is a good idea if people aren't using fail2ban but being
that this is a relatively impactful change that could, unintentionally,
lock out valid users (especially in attack scenarios) I'm somewhat
hesitant to deploy in production without understanding this mechanism
and testing results in a little more detail if available.
Chris
More information about the openssh-unix-dev
mailing list