On Tue, 18 Jun 2024, Chris Rapier wrote: > Just curious, has this been tested at scale? I see that there are, by > default, a maximum number of hosts it can track (default of 64k it > seems). At that point I think one of two things happen - sshd stops > allowing all connections until some of the banned IPs age out (with > the exception of those IPs on an approved list) or it drops banned > IPs from the head. I'm just wondering what happens in the event of a > sustained attack from, say, a large botnet with more than 64K hosts. > > I think this is a good idea if people aren't using fail2ban but > being that this is a relatively impactful change that could, > unintentionally, lock out valid users (especially in attack scenarios) > I'm somewhat hesitant to deploy in production without understanding > this mechanism and testing results in a little more detail if > available. I suggest reading the documentation then: https://man.openbsd.org/sshd_config.5#PerSourcePenalties > overflow:mode > Controls how the server behaves when max-sources4 or max-sources6 > is exceeded. There are two operating modes: deny-all, which > denies all incoming connections other than those exempted via > PerSourcePenaltyExemptList until a penalty expires, and permissive, > which allows new connections by removing existing penalties early > (default: permissive). Note that client penalties below the min > threshold count against the total number of tracked penalties. IPv4 > and IPv6 addresses are tracked separately, so an overflow in one > will not affect the other. > > overflow6:mode > Allows specifying a different overflow mode for IPv6 addresses. > The default it to use the same overflow mode as was specified for > IPv4. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
