From nobody Thu Nov 9 11:18:53 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQzwy2Qm8z50NW2 for ; Thu, 9 Nov 2023 11:18:58 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQzwy1vrmz4PGH; Thu, 9 Nov 2023 11:18:58 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699528738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WuktPmH0PMN+5D+wEDMwzEDKrCNP2t4I0V+M/xW9vkE=; b=Z/PemLOYbPwWlxbaXqsvkjzgGspzxYCuaOaYxbdGwyi0e+Ak6ui0lpBlTdeBytpruxL1GR Pz9VBTQc0mOgxR+2efylq5y77snU/j2d3oGXiZ4owgduYyAl9R/Dux7N+TyNn5H5owDkow 19ivrCOc+Zlvi+2KpERhCKlWeALSUvgw4VXsCWZ7eV4ePpxIIQqAPtAdkSrvEY+FG6CWsO 3pEFrNYsqVXSzG6x6NLYdGwC93u7GZ19TCMD+/kLHgF9VO2GdMiKGwzM7Ft3HApFUHzlYA dfNbnwT2oBXXVs15SHqUXYPW325gnSlvrvtZ7dAJct5ioufqynrblAWZ/ufrRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699528738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WuktPmH0PMN+5D+wEDMwzEDKrCNP2t4I0V+M/xW9vkE=; b=EQ6WZL5MCtd240fKyn+TVym2XCnGg9a+EXTrht86TlUysAD2ob7DxpP17TnGOO3UgVRnSj evXN0BCl5qFiyxyCARUZvEvu+Y2WnIlVWkxSRT5C+6hIu5xvnC748e/+5IRTtAN6Ok33Cu /Dg/ub3/MLtw088iFidlRr+7UFGmbiHi9JDgidvYaKfGCWXrfIGayK9l8sS4pitDLmOlII 1DgXuZ+mWhf6ONLzyHmht52XC4czwWyvFKSFuUFvk/8seK1jVrI9OwIPRGpo9AfbV690u/ SNmV6B4O3nURO358VAF4mSYEzlzS0tLIeVTKXktYJUqy9geXVunmd4XlyDQFKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699528738; a=rsa-sha256; cv=none; b=b+MrG8sEjudNGthLKvk0YMuqi697HqNEO8DgegtKoS/MbGqayWbw2zq00gsxwt56+VosM9 g4EhEUNMASeYQLrAU2f1/C0fZk/CLuoS5DNh93V93HlemQXKHMD4lcDfuUW5cMVZdgQ2qB rWjfgSLaS+gKB0ddbRZQfTZ7x5uDWI0NEa+LK47wf8jaGFfEQma7bK0s9VDp+zeBnWVyeb mMj9WkuHem+xyz8gtywJNR9FL4jUfOqYXNJTmTkJKy4gvfQGgXTRQWVvG9DGst2Q05iYOx uAQCUQtNizkcYWhmcJmFv2TSrbQdLs+oUVV9r5HXzEtak82t/LyNkGtaJi5KDw== Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SQzwy0npzz7kM; Thu, 9 Nov 2023 11:18:58 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id 5FACC27C0054; Thu, 9 Nov 2023 06:18:57 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 09 Nov 2023 06:18:57 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedruddvuddgvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffokfgjfhggtgesthdtmhdtredttdenucfhrhhomheprfhhihhl ihhpucfrrggvphhsuceophhhihhlihhpsehfrhgvvggsshgurdhorhhgqeenucggtffrrg htthgvrhhnpedvueeivdelledvvdefhfeutdevtdeludeihfelhfevkeejudegfeektedu udejjeenucffohhmrghinheptghonhhfrdhishdpfhhrvggvsghsugdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehphhhilhhiphdo mhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieeivdeivdegkedqvdefhe dukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgsehtrhhouhgslhgvrdhi sh X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 9 Nov 2023 06:18:55 -0500 (EST) From: Philip Paeps To: Alexander Leidinger Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Date: Thu, 09 Nov 2023 19:18:53 +0800 X-Mailer: MailMate (1.14r5998) Message-ID: <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> In-Reply-To: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-11-09 15:54:22 (+0800), Alexander Leidinger wrote: > We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is > there a particular reason we don't have sshd protected the same way? > > Any objections if I would commit such a change (sshd_oomprotect=YES in > defaults/rc.conf)? I don't have feelings about it either way. It probably makes sense to optimise for installations that don't have out of band access. > I was also thinking about which other daemon we should protect by > default, but apart from the need to make sure important logs are > written to find issues which may have caused the oom trigger, and the > need to be able to login to such a troubled system, I didn't see any > other service as such critical (we could argue about ntpd, but I send > to be on the "may be protected" (not for my use cases) and not to be > on the "has to be protected" side) to include it in this proposal. In the FreeBSD.org cluster, we set local_unbound_oomprotect="YES" too. Without DNS, everything grinds to a halt. Including SSH. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises