[Bug 3851] PerSourcePenaltyExemptList but for MaxStartups

Thu Jul 24 10:03:26 AEST 2025

https://bugzilla.mindrot.org/show_bug.cgi?id=3851

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
> Does the current setting of PerSourcePenaltyExemptList apply to
> connections that would be refused by MaxStartups settings?

No, it only applies to PerSourcePenalties.

> how about a new ExemptList but for MaxStartups?

I'd like that too but it's unfortunately quite tricky given the current
design of MaxStartups, which uses a fixed number of subprocess slots.
We'd need to redesign this fairly substantially.

A hacky workaround might be to run a 2nd instance of sshd and control
access to it using firewall rules.

> I'm also using PerSourceMaxStartups but lately the botnets are so
> distributed that it doesn't make a difference.

I find that heavily penalising clients that attempt invalid usernames
makes a huge difference. E.g.

> PerSourcePenalties refuseconnection:300
> # Allowlist root logins only from local addresses.
> Match user root address 127.0.0.0/8,::1,192.168.0.0/16
>         RefuseConnection no
> # Penalise connection attempts to invalid usernames.
> Match invalid-user
>         RefuseConnection yes
> # Penalise other attempts to log in as root.
> Match user root
>         RefuseConnection yes

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.