Your browser does not allow storing cookies. We recommend enabling them.

SSH

Load Control

The purpose of load control is to help keep Tectia Server for IBM z/OS running when the load is high (that is, the number of current connections is near the maximum allowed number of connections). High load might be caused by a connection flood denial-of-service attack that tries to make the server unavailable to its intended users by using so much of its resources that normal service is disrupted.

Load control is implemented by keeping a "white list" of the IP addresses of connections that have had a successful authentication. When Tectia Server for IBM z/OS starts, the white list is empty. When the server's load is high, connections from IP addresses that are not on the white list (that is, connections that have not recently had a successful authentication) are discarded.

Load control uses four configuration variables in the sshd2_config file: MaxConnections, LoadControl.Active, LoadControl.DiscardLimit, and LoadControl.WhitelistSize.

The level of load is measured by how near the number of the server's current connections is to MaxConnections, the maximum number of connections that the server will handle simultaneously. The argument for MaxConnections is a positive number. The default value is 1000, and the value 0 (zero) means that the number of connections is not limited. MaxConnections must be greater than 1 when load control is used.

LoadControl.Active can have a value of yes or no. The default value is yes (load control is enabled).

[Note]Note

If MaxConnections is set to 0 or 1, load control is disabled even if you have set LoadControl.Active to yes in the sshd2_config file.

When the number of concurrent connections is greater than LoadControl.DiscardLimit, connections from IP addresses that have not recently had a successful authentication are discarded. When the number of concurrent connections is not greater than LoadControl.DiscardLimit, connections are accepted from any IP address (subject to restrictions defined with AllowHosts and DenyHosts). The allowed value range of LoadControl.DiscardLimit is from 1 to MaxConnections-1. The default value is 90 percent of the value of MaxConnections. If you have not defined any configuration settings (that is, only sshd2_config default values are used), the value of LoadControl.DiscardLimit is 900.

Tectia Server for IBM z/OS keeps a list of the IP addresses of connections that have had a successful authentication. This "white list" has space for a fixed number of unique IP addresses, specified by LoadControl.WhitelistSize. The default value of LoadControl.WhitelistSize is 1000.


 

 
PrivX
 

 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now