openssh bugs - Jul 2025 - [Bug 3851] New: PerSourcePenaltyExemptList but for MaxStartups

https://bugzilla.mindrot.org/show_bug.cgi?id=3851

            Bug ID: 3851
           Summary: PerSourcePenaltyExemptList but for MaxStartups
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: andy-bugzilla.mindrot.org at strugglers.net

Hi,

Does the current setting of PerSourcePenaltyExemptList apply to
connections that would be refused by MaxStartups settings? I've tried
to test this and I think these netblocks are not exempt from that,
although possibly I made an error in my testing.

If they're not exempt, how about making it so that they are? Or if that
would be too much of an unexpected change in behaviour, how about a new
ExemptList but for MaxStartups?

The issue I'm having is that I set MaxStartups quite high but even so,
botnets use up all the slots and my legitimate users and monitoring
start to have their connections refused.

I'm also using PerSourceMaxStartups but lately the botnets are so
distributed that it doesn't make a difference.

I'd like to be able to provide a list of netblocks that will be allowed
a startup even if MaxStartups has been hit.

I am sadly unable to firewall off the SSH port or require all users to
use a VPN (some of them do, and these would benefit from such a
setting).

Thanks,
Andy

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3851

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org>
---
> Does the current setting of PerSourcePenaltyExemptList apply to
> connections that would be refused by MaxStartups settings?
No, it only applies to PerSourcePenalties.
> how about a new ExemptList but for MaxStartups?
I'd like that too but it's unfortunately quite tricky given the current
design of MaxStartups, which uses a fixed number of subprocess slots.
We'd need to redesign this fairly substantially.

A hacky workaround might be to run a 2nd instance of sshd and control
access to it using firewall rules.
> I'm also using PerSourceMaxStartups but lately the botnets are so
> distributed that it doesn't make a difference.
I find that heavily penalising clients that attempt invalid usernames
makes a huge difference. E.g.
> PerSourcePenalties refuseconnection:300
> # Allowlist root logins only from local addresses.
> Match user root address 127.0.0.0/8,::1,192.168.0.0/16
>         RefuseConnection no
> # Penalise connection attempts to invalid usernames.
> Match invalid-user
>         RefuseConnection yes
> # Penalise other attempts to log in as root.
> Match user root
>         RefuseConnection yes
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.