On 6/17/2024 22:46, Damien Miller wrote:
This release contains mostly bugfixes.
New features
------------
* sshd(8): add the ability to penalise client addresses that, for
various reasons, do not successfully complete authentication.
sshd(8) will now identify situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly
indicating an attack against one or more accounts, e.g. password
guessing), or when client behaviour caused sshd to crash (possibly
indicating attempts to exploit sshd).
Just curious, has this been tested at scale? I see that there are, by
default, a maximum number of hosts it can track (default of 64k it
seems). At that point I think one of two things happen - sshd stops
allowing all connections until some of the banned IPs age out (with the
exception of those IPs on an approved list) or it drops banned IPs from
the head. I'm just wondering what happens in the event of a sustained
attack from, say, a large botnet with more than 64K hosts.
I think this is a good idea if people aren't using fail2ban but being
that this is a relatively impactful change that could, unintentionally,
lock out valid users (especially in attack scenarios) I'm somewhat
hesitant to deploy in production without understanding this mechanism
and testing results in a little more detail if available.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
