No logging of penalised clients by default?
Erik Thuning
thuning at dsv.su.se
Mon Sep 15 18:11:36 AEST 2025
Hi!
I was debugging what I thought to be an exotic new failure mode in ssh
last week, with the following being the only hints in the auth log to go on:
2025-09-08T20:41:17.233159+02:00 servername sshd-session[884433]:
Connection closed by some.client.ip port 39200 [preauth]
2025-09-08T20:41:17.356525+02:00 servername sshd-session[884435]:
Connection closed by some.client.ip port 39204 [preauth]
2025-09-08T20:41:17.481084+02:00 servername sshd-session[884437]:
Connection closed by some.client.ip port 39220 [preauth]
2025-09-08T20:41:17.503513+02:00 servername sshd-session[884438]: Unable
to negotiate with some.client.ip port 39222: no matching host key type
found. Their offer: sk-ecdsa-sha2-nistp256 at openssh.com [preauth]
2025-09-08T20:41:17.528975+02:00 servername sshd-session[884439]: Unable
to negotiate with some.client.ip port 39224: no matching host key type
found. Their offer: sk-ssh-ed25519 at openssh.com [preauth]
When I turned on debug logging, I could immediately see that the issue
was the new penalisation feature (which I didn't even know existed, but
that's on me). What catches my eye here though is this:
2025-09-11T15:20:19.768262+02:00 servername sshd[1599576]: debug1:
srclimit_penalise: inactive penalty for ipv4 redacted.client.ip/32
already exists, 14 seconds remaining
2025-09-11T15:20:19.768299+02:00 servername sshd[1599576]:
srclimit_penalise: redacted.client.ip/32: activating ipv4 penalty of 19
seconds for penalty: failed authentication
The first line is obviously printed at debug1 level, and that's fine.
The second line isn't tagged debug though, so since we normally log at
INFO, I assume it's from VERBOSE.
Now, my question is why penalisation of clients isn't logged at INFO
level? Is it to reduce log spam? It would certainly be helpful from a
debugging perspective to see when a client is penalised, so if there is
no indication at the default log level, is there some way of listing
currently active penalties? I'm not seeing anything to that effect in
the manual.
Kind regards
Erik Thuning
Systems administrator
Stockholm University
More information about the openssh-unix-dev
mailing list