search for: persourcepenalties

https://bugzilla.mindrot.org/show_bug.cgi?id=3705 Bug ID: 3705 Summary: Disk space exhaustion from PerSourcePenalties logging Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: jte...

Dear colleagues, Can we somehow improve the UX related to a relatively freshly introduced PerSourcePenalties option? A popular pattern implies installation of the users' keys to a freshly installed machine using ssh-copy-id script. The default settings don't allow this command to work normally and causes login failures. A reasonable workaround could be adding some threshold for a number of failu...

On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > Dear colleagues, > > Can we somehow improve the UX related to a relatively freshly > introduced PerSourcePenalties option? > > A popular pattern implies installation of the users' keys to a freshly > installed machine using ssh-copy-id script. The default settings don't > allow this command to work normally and causes login failures. > > A reasonable workaround could be adding some t...

https://bugzilla.mindrot.org/show_bug.cgi?id=3766 Bug ID: 3766 Summary: openssh PerSourcePenalties and pam_nologin interaction Product: Portable OpenSSH Version: 9.8p1 Hardware: ARM64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org...

Damien Miller <djm at mindrot.org> writes: > On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > >> Dear colleagues, >> >> Can we somehow improve the UX related to a relatively freshly >> introduced PerSourcePenalties option? >> >> A popular pattern implies installation of the users' keys to a freshly >> installed machine using ssh-copy-id script. The default settings don't >> allow this command to work normally and causes login failures. >> >> A reasonable workaroun...

Hi, A few people have requested rate-limiting for PerSourcePenalties logging. These patches add it. Please give them a try if you're interested in this feature. -d -------------- next part --------------

...able to reduce idle time to 0.0% using "./ssh- audit.py --dheat=16 target_host". Next, I increased the vCPUs to 4. The same ssh-audit command yielded 54% idle time (averaged over 60 seconds). That's still a lot of strain on the target, despite the fact that the logs claim that the PerSourcePenalties noauth:1 restriction was being triggered. After that, I tried simply flooding the target with open connections without performing the DHEat attack ("ssh-audit.py --conn-rate-test=16 target_host"). This caused the 60-second average idle time to come all the way down to 6%! Additionally,...

https://bugzilla.mindrot.org/show_bug.cgi?id=3771 Bug ID: 3771 Summary: Will future versions of openssh provide DDoS attack defense for the DH algorithm?:CVE-2024-41996 Product: Portable OpenSSH Version: 9.9p1 Hardware: Other OS: All Status: NEW Severity: enhancement

...lly, lock out valid users (especially in attack scenarios) > I'm somewhat hesitant to deploy in production without understanding > this mechanism and testing results in a little more detail if > available. I suggest reading the documentation then: https://man.openbsd.org/sshd_config.5#PerSourcePenalties > overflow:mode > Controls how the server behaves when max-sources4 or max-sources6 > is exceeded. There are two operating modes: deny-all, which > denies all incoming connections other than those exempted via > PerSourcePenaltyExemptList until a penalty expires, and per...

In the upcoming v9.8 release notes I see "the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server." Has this new PerSourcePenalties config directive been tested against the DHEat attack? - Joe On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote: > A few days ago, I published an article analyzing the susceptibility > of > the DHEat denial-of-service vulnerability against default OpenSSH > settings in cl...

...g openssh-SNAP-20240628.tar.gz with all defaults unchanged. When running using "ssh-audit.py --conn-rate-test=16 target_host", the system idle time averaged over 60 seconds was 50%. The /var/log/auth.log file grew 73MB in this time (nearly 400,000 lines were messages produced by the new PerSourcePenalties logging in sshd.c:627). Next, I modified the logging in sshd.c:627 to always use SYSLOG_LEVEL_DEBUG1 instead of SYSLOG_LEVEL_INFO. Re-running the above test resulted in 73% average idle time and 8KB of log growth. Lastly, from an m7i.2xlarge source EC2 instance in AWS, I targeted an m7i.large in...

https://bugzilla.mindrot.org/show_bug.cgi?id=3709 Bug ID: 3709 Summary: PerSourceMaxStartups no longer works as advertised Product: Portable OpenSSH Version: 9.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at

On Tue, 18 Jun 2024, Joseph S. Testa II wrote: > In the upcoming v9.8 release notes I see "the server will now block > client addresses that repeatedly fail authentication, repeatedly > connect without ever completing authentication or that crash the > server." Has this new PerSourcePenalties config directive been tested > against the DHEat attack? Not explicitly but those attacks would trigger the "grace-exceeded" path, so they should be detectable and penalisable. -d

On Wed, 2024-06-19 at 09:19 -0400, chris wrote: > real world example (current snapshot of portable on linux v. dheater) Thanks for this. However, much more extensive testing would be needed to show it is a complete solution. In my original research article, I used CPU idle time as the main metric. Also, I showed that very low- latency network links could bypass the existing countermeasures.

...onfigures their own $DISPLAY, > but don't happen in normal operation. bz#3730 > > * ssh-keygen(1): don't mess up ssh-keygen -l output when the file > contains CR characters; GHPR236 bz3385. > > * sshd(8): add rate limits to logging of connections dropped by > PerSourcePenalties. Previously these could be noisy in logs. > > * ssh(1): fix argument of "Compression" directive in ssh -G config > dump, which regressed in openssh-9.8. > > * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd > refuses to accept the signature retur...

...X11DisplayOffset or the user misconfigures their own $DISPLAY, but don't happen in normal operation. bz#3730 * ssh-keygen(1): don't mess up ssh-keygen -l output when the file contains CR characters; GHPR236 bz3385. * sshd(8): add rate limits to logging of connections dropped by PerSourcePenalties. Previously these could be noisy in logs. * ssh(1): fix argument of "Compression" directive in ssh -G config dump, which regressed in openssh-9.8. * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd refuses to accept the signature returned by an agent holding host...

On 6/19/24 4:11 PM, Joseph S. Testa II wrote: > On Wed, 2024-06-19 at 09:19 -0400, chris wrote: >> real world example (current snapshot of portable on linux v. dheater) > > Thanks for this. However, much more extensive testing would be needed > to show it is a complete solution. In my original research article, I > used CPU idle time as the main metric. Also, I showed that

https://bugzilla.mindrot.org/show_bug.cgi?id=3711 Bug ID: 3711 Summary: How do you defend against the D (HE) ater attack? Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at

...erifyHostKeyDNS option is enabled. This option is off by default. * Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1 (inclusive) is vulnerable to a memory/CPU denial-of-service related to the handling of SSH2_MSG_PING packets. This condition may be mitigated using the existing PerSourcePenalties feature. Both vulnerabilities were discovered and demonstrated to be exploitable by the Qualys Security Advisory team. We thank them for their detailed review of OpenSSH. For OpenBSD, fixes to these problems are available as errata; refer to https://www.openbsd.org/errata.html Bugfixes ========...

...erifyHostKeyDNS option is enabled. This option is off by default. * Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1 (inclusive) is vulnerable to a memory/CPU denial-of-service related to the handling of SSH2_MSG_PING packets. This condition may be mitigated using the existing PerSourcePenalties feature. Both vulnerabilities were discovered and demonstrated to be exploitable by the Qualys Security Advisory team. We thank them for their detailed review of OpenSSH. For OpenBSD, fixes to these problems are available as errata; refer to https://www.openbsd.org/errata.html Bugfixes ========...