openssh bugs - Sep 2016 - [Bug 2613] New: Log connections dropped when MaxStartups is reached

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

            Bug ID: 2613
           Summary: Log connections dropped when MaxStartups is reached
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tomas.kuthan at oracle.com

When MaxStartups of unauthenticated concurrent connections is hit,
additional connections are dropped.

Dropped connections should be logged.

Server administrator should be able to find this information and might
be interested in details.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

--- Comment #1 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
Created attachment 2873
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2873&action=edit
Log dropped connections

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Comment on attachment 2873
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2873
Log dropped connections
>+				logit("MaxStartups: dropping connection #%d",
>+				    startups);
The connection identifier is included in this log message so syslog
won't be able to dedupe it.  Not sure if that's significant, though.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2594
                 CC|                            |dtucker at zip.com.au


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2873|0                           |1
        is obsolete|                            |
                 CC|                            |djm at mindrot.org
             Status|NEW                         |ASSIGNED
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #2907|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Created attachment 2907
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2907&action=edit
log addresses too

This logs the endpoint addresses too and downgrades the message to
verbose() - IMO it could be pretty spammy during a DoS

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
Comment on attachment 2907
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2907
log addresses too
>+				verbose("drop connection #%d from [%s]:%d "
won't that be wrong (or at least misleading) for IPv6 addresses?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2907|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> ---
Comment on attachment 2907
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2907
log addresses too

[127.0.0.1]:22 vs [::1]:22

nevermind, I withdraw that bogus objection.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
patch applied; this will be in OpenSSH 7.4

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2613

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.