From nobody Fri Nov 10 10:20:39 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRZbL5hjMz504TZ for ; Fri, 10 Nov 2023 10:20:46 +0000 (UTC) (envelope-from garyj@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRZbL1yGtz3PDB; Fri, 10 Nov 2023 10:20:46 +0000 (UTC) (envelope-from garyj@gmx.de) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1699611640; x=1700216440; i=garyj@gmx.de; bh=IhPjGk5Gpe1WmLY6Tts50TK4M2qodGio4flbcM+TlTc=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References: Reply-To; b=NGN4Bsdy3OoaAqaguTi1RODcQWruJ/75348E+zkopVP3tF3PET5jiiB369OpY+FW jzf0XGDwjw60FkrlU1p0lm+4DV+viFk0gIT6b2/jALMOVp3fvm77drMPaFsrmKxvq OgbCf74CH3fEogAfhoCsb29xPUT7DgLjynFiQ6ztU1tFMUjjfniqUHnFkE9U1K0BJ +su59EhDjArUmfdf81Iv9aP/hhu0/5rts5Vch0S5E5bq6vq2xA+hTGz7rBY4BHAQT 1iVg3ZL5CgGxeZVfE8UQ+3XS8XGktffK3E69QLYsZZydEh07JwAY0Evm3YcmQ9mN+ 9WgEfhQ4lfT+VIw7TQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from ernst.home ([217.226.57.134]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N6KUd-1rUX9F0ts9-016fAe; Fri, 10 Nov 2023 11:20:40 +0100 Date: Fri, 10 Nov 2023 10:20:39 +0000 From: Gary Jennejohn To: Alexander Leidinger Cc: Philip Paeps , freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Message-ID: <20231110112039.214c6343@ernst.home> In-Reply-To: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> Reply-To: garyj@gmx.de X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Ef1bqofMVTboslThVoAyR+EvGYnrfhKwB+l6HhFWT/eo9j7u6va fQa/W9N6nQE6gXahfK+39p9rcf0dF/aWhXc8kDQ9MY4bf/ICcoEEpTvEO4hLNd8jYPqbicu H6Q28SVSM8C0YcKaxd1KjJF4ABMOgGO7AZaXXWb45aUX1fX132vQaG/T+qcD5T888W9XCYo YmuN/5b0kMcFzWG/YO+pg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:At0cCfAUoN4=;mWlmQbqoROMAC7KqCR45TAk571h YgwqHp4yfVqMREq9A6RbZHc9yUsv4DW8MtQzITpjDiso/pOLMbWkOn0iQoaRAyuIxSbcHFWnd m2+sixnKruurCshvMz/6+6V3Ry8KfZ2eXoVKGz48pcMVrjPDh+sOl4FsGMVfFjzSixOhAgX1a iVaQ9C5JCK4HuX3/KiXFS9l94mv9Pwg7ZGedi8cK0N0x2gkm6Vn6EaVqgQlEjcLKhTkZnsIR+ UysDkOk9eRrf9xfFmTSApk4m8984Lhkten+oqkqQmfvbssL2LpxnxkZFDXhtVgOnSbr+gXPzV 3gNI2Cju2RYkSOt+/Jzd19M9vtQ57sO0dc2oY3l1WFd6z0PO3J+/lmGsNWMzELXMXu55OdKEe 6k6HLuzerNq3Rg6TzzvtdV4JkmIbPfPJuCe3HgJGfxYADsxZ4juH6lISFOE4wowU4f59bBRI7 A2WABHlNYmcJ8rIGd2gym4nyeptlEd/I9R38xNuq2VKUqdIjcGHwM4Vh9Vw/H9RGWt48nsY7A 3FKwSbslinlA4MR7Y+/O85DC3hZPTfJnKujpxVt3BUn8DzbdQhopJjLY1he8vzFt0UQ1orLO+ dXjgvmc9avNeZETCu/ltGP3Yd1D02xmsk6IVcVlTVp4taWOGfCsfiZFcjvawsBkM7CzCKKZ1G guc31sap/itjrCBWRANuIRp+jSFi8j3rJ5jIt5AEqZHel6mdKVhLAcHXw+nFE+BknnvNAVqV7 n+l2oS7BP1JE9V26FWym+HhO9iUqzy51uk5Ad76tichc0cF46H0YKq/rsdU5uTNphtbL8iJr4 VUT3DmYEETtN8zphB7eQY8fDvxe6BBfhmTJsugpIC4Q0C6xjFdiRnnHbnJPOdM59PbhWURH5A HtJQrNK6MK3UsYa61/xNIbrs0npff15Bq75TgTMi/X1DupyIbOKkBhU85cSONdGqErUixMIRs RsodSi2RpU9FVRN31GxSdIUWlyM= X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE] X-Rspamd-Queue-Id: 4SRZbL1yGtz3PDB On Fri, 10 Nov 2023 10:07:30 +0100 Alexander Leidinger wrote: > Am 2023-11-09 12:18, schrieb Philip Paeps: > > On 2023-11-09 15:54:22 (+0800), Alexander Leidinger wrote: > >> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is > >> there a particular reason we don't have sshd protected the same way? > >> > >> Any objections if I would commit such a change (sshd_oomprotect=3DYES= in > >> defaults/rc.conf)? > > > > I don't have feelings about it either way. It probably makes sense to > > optimise for installations that don't have out of band access. > > > >> I was also thinking about which other daemon we should protect by > >> default, but apart from the need to make sure important logs are > >> written to find issues which may have caused the oom trigger, and the > >> need to be able to login to such a troubled system, I didn't see any > >> other service as such critical (we could argue about ntpd, but I send > >> to be on the "may be protected" (not for my use cases) and not to be > >> on the "has to be protected" side) to include it in this proposal. > > > > In the FreeBSD.org cluster, we set local_unbound_oomprotect=3D"YES" to= o. > > Without DNS, everything grinds to a halt. Including SSH. > > https://reviews.freebsd.org/D42544 > Fix the typos which bcr mentions and it will be ready to commit. =2D- Gary Jennejohn