Your browser does not allow storing cookies. We recommend enabling them.

SSH

Load Control

The purpose of load control is to help keep Tectia Server for IBM z/OS running when the load is high (that is, the number of current connections is near the maximum allowed number of connections). High load might be caused by a connection flood denial-of-service attack that tries to make the server unavailable to its intended users by using so much of its resources that normal service is disrupted.

Load control is implemented by keeping a "white list" of the IP addresses of connections that have had a successful authentication. When Tectia Server for IBM z/OS starts, the white list is empty. When the server's load is high, connections from IP addresses that are not on the white list (that is, connections that have not recently had a successful authentication) are discarded.

Load control uses four configuration variables in the sshd2_config file: MaxConnections, LoadControl.Active, LoadControl.DiscardLimit, and LoadControl.WhitelistSize.

[Note]Note

It is recommended to set LoadControl.Active to yes, and MaxConnections to a proper value to prevent sshd2 from forking too many processes which might exceed the USS BPXPRMxx MAXPROCSYS value. It is also recommended to set MaxConnections to roughly half of the MAXPROCSYS value. Adjust the values of TcpListenBacklog, TcpListenRate, and TcpListenPause according to your CPU and network speeds.

The level of load is measured by how near the number of the server's current connections is to MaxConnections, the maximum number of connections that the server will handle simultaneously. The argument for MaxConnections is a positive number. The default value is 1000, and the value 0 (zero) means that the number of connections is not limited. MaxConnections must be greater than 1 when load control is used.

LoadControl.Active can have a value of yes or no. The default value is no (load control is disabled). To enable load control, set LoadControl.Active to yes.

[Note]Note

If MaxConnections is set to 0 or 1, load control is disabled even if you have set LoadControl.Active to yes in the sshd2_config file.

When the number of concurrent connections is greater than LoadControl.DiscardLimit, connections from IP addresses that have not recently had a successful authentication are discarded. When the number of concurrent connections is not greater than LoadControl.DiscardLimit, connections are accepted from any IP address (subject to restrictions defined with AllowHosts and DenyHosts). The allowed value range of LoadControl.DiscardLimit is from 1 to MaxConnections-1. The default value is 90 percent of the value of MaxConnections. If you have not defined any configuration settings (that is, only sshd2_config default values are used), the value of LoadControl.DiscardLimit is 900.

Tectia Server for IBM z/OS keeps a list of the IP addresses of connections that have had a successful authentication. This "white list" has space for a fixed number of unique IP addresses, specified by LoadControl.WhitelistSize. The default value of LoadControl.WhitelistSize is 1000.



Want to see how PrivX can help your organisation?

Are you a DEVELOPER accessing cloud hosts, are you a IT ADMIN managing access & credentials in your corporation, are you BUSINESS MANAGER and want to save money or are you responsible of IT SECURITY in DevOps