No logging of penalised clients by default?
Erik Thuning
thuning at dsv.su.se
Tue Sep 16 21:46:44 AEST 2025
On 2025-09-16 05:47, Damien Miller wrote:
> Yeah, it's to avoid logspam. Maybe we could be more nuanced. Does this
> help? It logs penalties at the default level when they become active.
>
> diff --git a/srclimit.c b/srclimit.c
> index 8a47588e4..c62763724 100644
> --- a/srclimit.c
> +++ b/srclimit.c
> @@ -427,7 +427,9 @@ srclimit_penalise(struct xaddr *addr, int
> penalty_type)
> penalty->active = 1;
> if (RB_INSERT(penalties_by_expiry, by_expiry,
> penalty) != NULL)
> fatal_f("internal error: %s penalty tables
> corrupt", t);
> - verbose_f("%s: new %s %s penalty of %d seconds for %s", t,
> + do_log2_f(penalty->active ?
> + SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE,
> + "%s: new %s %s penalty of %d seconds for %s", t,
> addrnetmask, penalty->active ? "active" : "deferred",
> penalty_secs, reason);
> if (++(*npenaltiesp) > (size_t)max_sources)
> @@ -446,7 +448,7 @@ srclimit_penalise(struct xaddr *addr, int
> penalty_type)
> existing->expiry = now + penalty_cfg.penalty_max;
> if (existing->expiry - now > penalty_cfg.penalty_min &&
> !existing->active) {
> - verbose_f("%s: activating %s penalty of %lld seconds
> for %s",
> + logit_f("%s: activating %s penalty of %lld seconds for
> %s",
> addrnetmask, t, (long long)(existing->expiry - now),
> reason);
> existing->active = 1;
Thanks, yes that looks like a very reasonable change to me. Logging
newly activated penalties at the default level, especially along with
the penalty time time, makes it much easier to know the current
connectivity state without overloading the log with every violation.
As an aside, I really like the approach taken with penalisation scores
being used directly as lockout times. It makes it so much easier to
reason about what's happening when reading the logs. Even though this
feature took me by surprise, I think it's a great addition.
While I'm at it, is there any chance that we'd be able to exempt DNS
names in addition to IPs/CIDRs? It's not all that important, but we
usually prefer using DNS names as far as possible since they make it
more immediately obvious what is being targeted. I realize there's
overhead etc involved that might make it unreasonable to do though. For
the moment we haven't actually needed to exempt anything, since the
defaults are liberal enough that things like monitoring are connecting
at low enough rates to not get blocked. Strictly a wishlist item.
Thanks again!
/T
More information about the openssh-unix-dev
mailing list