On 6/18/24 6:40 PM, Damien Miller wrote:
On Tue, 18 Jun 2024, Chris Rapier wrote:
Just curious, has this been tested at scale? I see that there are, by
default, a maximum number of hosts it can track (default of 64k it
seems). At that point I think one of two things happen - sshd stops
allowing all connections until some of the banned IPs age out (with
the exception of those IPs on an approved list) or it drops banned
IPs from the head. I'm just wondering what happens in the event of a
sustained attack from, say, a large botnet with more than 64K hosts.
I think this is a good idea if people aren't using fail2ban but
being that this is a relatively impactful change that could,
unintentionally, lock out valid users (especially in attack scenarios)
I'm somewhat hesitant to deploy in production without understanding
this mechanism and testing results in a little more detail if
available.
I suggest reading the documentation then:
https://man.openbsd.org/sshd_config.5#PerSourcePenalties
I read the documentation and the source code which I why I brought this
up. What I was really looking for was the results of any testing in
large scale attack scenarios. If that's not available that's fine. I
just don't want to repeat work that's already been done.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
