.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.358 2024/06/06 21:14:49 jmc Exp $
-.Dd $Mdocdate: June 6 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.359 2024/06/11 01:07:35 djm Exp $
+.Dd $Mdocdate: June 11 2024 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
Controls penalties for various conditions that may represent attacks on
.Xr sshd 8 .
If a penalty is enforced against a client then its source address and any
-others in the
-.Cm PerSourceNetBlockSize
+others in the same network, as defined by
+.Cm PerSourceNetBlockSize ,
will be refused connection for a period.
+.Pp
A penalty doesn't affect concurrent connections in progress, but multiple
penalties from the same source from concurrent connections will accumulate
up to a maximum.
Conversely, penalties are not applied until a minimum threshold time has been
accumulated.
-Penalties are off by default but may be enabled using default settings using the
-.Cm yes
-keyword or by specifying one or more of the keywords below.
.Pp
-Penalties are controlled using the following keywords, all of which accept
-arguments, e.g.\&
+Penalties are enabled by default with the default settings listed below
+but may disabled using the
+.Cm off
+keyword.
+The defaults may be overridden by specifying one or more of the keywords below,
+separated by whitespace.
+All keywords accept arguments, e.g.\&
.Qq crash:2m .
.Bl -tag -width Ds
.It Cm crash:duration
Specifies how long to refuse clients that cause a crash of
-.Xr sshd 8 .
+.Xr sshd 8 (default: 90s).
.It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more
-unsuccessful authentication attempts.
+unsuccessful authentication attempts (default: 5s).
.It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting
-authentication.
+authentication (default: 1s).
This timeout should be used cautiously otherwise it may penalise legitimate
scanning tools such as
.Xr ssh-keyscan 1 .
.It Cm grace-exceeded:duration
Specifies how long to refuse clients that fail to authenticate after
-.Cm LoginGraceTime .
+.Cm LoginGraceTime (default: 20s).
.It Cm max:duration
Specifies the maximum time a particular source address range will be refused
-access for.
+access for (default: 10m).
Repeated penalties will accumulate up to this maximum.
.It Cm min:duration
-Specifies the minimum penalty that must accrue before enforcement begins.
+Specifies the minimum penalty that must accrue before enforcement begins
+(default: 15s).
.It Cm max-sources:number
-Specifies the maximum number of penalise client address ranges to track.
+Specifies the maximum number of penalise client address ranges to track
+(default: 65536).
.It Cm overflow:mode
Controls how the server behaves when
.Cm max-sources
.Cm PerSourcePenaltyExemptList
until a penalty expires, and
.Cm permissive ,
-which allows new connections by removing existing penalties early.
+which allows new connections by removing existing penalties early
+(default: permissive).
.El
.It Cm PerSourcePenaltyExemptList
Specifies a comma-separated list of addresses to exempt from penalties.
projects / openbsd / commitdiff