search for: persourcepenaltyexemptlist

On 6/17/2024 22:46, Damien Miller wrote: > This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): add the ability to penalise client addresses that, for > various reasons, do not successfully complete authentication. > sshd(8) will now identify situations where the session did not > authenticate as expected. These

...n: https://man.openbsd.org/sshd_config.5#PerSourcePenalties > overflow:mode > Controls how the server behaves when max-sources4 or max-sources6 > is exceeded. There are two operating modes: deny-all, which > denies all incoming connections other than those exempted via > PerSourcePenaltyExemptList until a penalty expires, and permissive, > which allows new connections by removing existing penalties early > (default: permissive). Note that client penalties below the min > threshold count against the total number of tracked penalties. IPv4 > and IPv6 addresses are track...

...connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. Address ranges may be exempted from penalties using the PerSourcePenaltyExemptList option. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. This option is enabled by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallba...