No logging of penalised clients by default?

Erik Thuning thuning at dsv.su.se
Tue Sep 16 21:46:44 AEST 2025


On 2025-09-16 05:47, Damien Miller wrote:
> Yeah, it's to avoid logspam. Maybe we could be more nuanced. Does this
> help? It logs penalties at the default level when they become active.
>
> diff --git a/srclimit.c b/srclimit.c
> index 8a47588e4..c62763724 100644
> --- a/srclimit.c
> +++ b/srclimit.c
> @@ -427,7 +427,9 @@ srclimit_penalise(struct xaddr *addr, int 
> penalty_type)
>                          penalty->active = 1;
>                  if (RB_INSERT(penalties_by_expiry, by_expiry, 
> penalty) != NULL)
>                          fatal_f("internal error: %s penalty tables 
> corrupt", t);
> -               verbose_f("%s: new %s %s penalty of %d seconds for %s", t,
> +               do_log2_f(penalty->active ?
> +                   SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE,
> +                   "%s: new %s %s penalty of %d seconds for %s", t,
>                      addrnetmask, penalty->active ? "active" : "deferred",
>                      penalty_secs, reason);
>                  if (++(*npenaltiesp) > (size_t)max_sources)
> @@ -446,7 +448,7 @@ srclimit_penalise(struct xaddr *addr, int 
> penalty_type)
>                  existing->expiry = now + penalty_cfg.penalty_max;
>          if (existing->expiry - now > penalty_cfg.penalty_min &&
>              !existing->active) {
> -               verbose_f("%s: activating %s penalty of %lld seconds 
> for %s",
> +               logit_f("%s: activating %s penalty of %lld seconds for 
> %s",
>                      addrnetmask, t, (long long)(existing->expiry - now),
>                      reason);
>                  existing->active = 1;

Thanks, yes that looks like a very reasonable change to me. Logging 
newly activated penalties at the default level, especially along with 
the penalty time time, makes it much easier to know the current 
connectivity state without overloading the log with every violation.

As an aside, I really like the approach taken with penalisation scores 
being used directly as lockout times. It makes it so much easier to 
reason about what's happening when reading the logs. Even though this 
feature took me by surprise, I think it's a great addition.

While I'm at it, is there any chance that we'd be able to exempt DNS 
names in addition to IPs/CIDRs? It's not all that important, but we 
usually prefer using DNS names as far as possible since they make it 
more immediately obvious what is being targeted. I realize there's 
overhead etc involved that might make it unreasonable to do though. For 
the moment we haven't actually needed to exempt anything, since the 
defaults are liberal enough that things like monitoring are connecting 
at low enough rates to not get blocked. Strictly a wishlist item.

Thanks again!

/T


More information about the openssh-unix-dev mailing list