[Bug 3851] New: PerSourcePenaltyExemptList but for MaxStartups
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Jul 23 23:55:02 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3851
Bug ID: 3851
Summary: PerSourcePenaltyExemptList but for MaxStartups
Product: Portable OpenSSH
Version: 10.0p2
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: andy-bugzilla.mindrot.org at strugglers.net
Hi,
Does the current setting of PerSourcePenaltyExemptList apply to
connections that would be refused by MaxStartups settings? I've tried
to test this and I think these netblocks are not exempt from that,
although possibly I made an error in my testing.
If they're not exempt, how about making it so that they are? Or if that
would be too much of an unexpected change in behaviour, how about a new
ExemptList but for MaxStartups?
The issue I'm having is that I set MaxStartups quite high but even so,
botnets use up all the slots and my legitimate users and monitoring
start to have their connections refused.
I'm also using PerSourceMaxStartups but lately the botnets are so
distributed that it doesn't make a difference.
I'd like to be able to provide a list of netblocks that will be allowed
a startup even if MaxStartups has been hit.
I am sadly unable to firewall off the SSH port or require all users to
use a VPN (some of them do, and these would benefit from such a
setting).
Thanks,
Andy
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list