Can a very large /etc/hosts.deny slow down SSH connections?

Solution 1:

Yes.

But it shouldn't be much of a slowdown unless you have names instead of IPs in there, have the PARANOID option set, or ident turned on (by asking for username info). And it will only slow down the initial connection, not affect anything once the connection is established and passing data.

You could try time tcpdmatch sshd 1.2.3.4 and time tcpdmatch sshd foo.example.com with the last item set to the hostname or IP of the system you're initiating connections from. That should reproduce most of the timing issues of sshd processing the /etc/hosts.deny file and show you how long it's taking.