SSH Guidelines : Consider Adding PerSourceMaxStartups/PerSourceNetBlockSize #158
Description
I have not proposed a PR for this because you may consider 8.5p1 to be too modern for "modern", but I wanted to highlight a couple of interesting new config knobs:
PerSourceMaxStartups
Specifies the number of unauthenticated connections allowed from a given source address, or “none” if there is no limit. This limit is applied in addition to MaxStartups, whichever is lower. The default is none.PerSourceNetBlockSize
Specifies the number of bits of source address that are grouped together for the purposes of applying PerSourceMaxStartups limits. Values for IPv4 and optionally IPv6 may be specified, separated by a colon. The default is 32:128, which means each address is considered individually.
See also: DDoS attack by using ssh-keyscan (https://bugzilla.mindrot.org/show_bug.cgi?id=3211)