From 8228638438a7042b3e5eda12114dedfa4bb4d202 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 11 Jun 2024 01:07:35 +0000 Subject: [PATCH] update to mention that PerSourcePenalties default to being enabled and document the default values for each parameter. --- usr.bin/ssh/sshd_config.5 | 40 ++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 92c183466dc..7b2c822d165 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.358 2024/06/06 21:14:49 jmc Exp $ -.Dd $Mdocdate: June 6 2024 $ +.\" $OpenBSD: sshd_config.5,v 1.359 2024/06/11 01:07:35 djm Exp $ +.Dd $Mdocdate: June 11 2024 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1562,45 +1562,50 @@ which means each address is considered individually. Controls penalties for various conditions that may represent attacks on .Xr sshd 8 . If a penalty is enforced against a client then its source address and any -others in the -.Cm PerSourceNetBlockSize +others in the same network, as defined by +.Cm PerSourceNetBlockSize , will be refused connection for a period. +.Pp A penalty doesn't affect concurrent connections in progress, but multiple penalties from the same source from concurrent connections will accumulate up to a maximum. Conversely, penalties are not applied until a minimum threshold time has been accumulated. -Penalties are off by default but may be enabled using default settings using the -.Cm yes -keyword or by specifying one or more of the keywords below. .Pp -Penalties are controlled using the following keywords, all of which accept -arguments, e.g.\& +Penalties are enabled by default with the default settings listed below +but may disabled using the +.Cm off +keyword. +The defaults may be overridden by specifying one or more of the keywords below, +separated by whitespace. +All keywords accept arguments, e.g.\& .Qq crash:2m . .Bl -tag -width Ds .It Cm crash:duration Specifies how long to refuse clients that cause a crash of -.Xr sshd 8 . +.Xr sshd 8 (default: 90s). .It Cm authfail:duration Specifies how long to refuse clients that disconnect after making one or more -unsuccessful authentication attempts. +unsuccessful authentication attempts (default: 5s). .It Cm noauth:duration Specifies how long to refuse clients that disconnect without attempting -authentication. +authentication (default: 1s). This timeout should be used cautiously otherwise it may penalise legitimate scanning tools such as .Xr ssh-keyscan 1 . .It Cm grace-exceeded:duration Specifies how long to refuse clients that fail to authenticate after -.Cm LoginGraceTime . +.Cm LoginGraceTime (default: 20s). .It Cm max:duration Specifies the maximum time a particular source address range will be refused -access for. +access for (default: 10m). Repeated penalties will accumulate up to this maximum. .It Cm min:duration -Specifies the minimum penalty that must accrue before enforcement begins. +Specifies the minimum penalty that must accrue before enforcement begins +(default: 15s). .It Cm max-sources:number -Specifies the maximum number of penalise client address ranges to track. +Specifies the maximum number of penalise client address ranges to track +(default: 65536). .It Cm overflow:mode Controls how the server behaves when .Cm max-sources @@ -1611,7 +1616,8 @@ which denies all incoming connections other than those exempted via .Cm PerSourcePenaltyExemptList until a penalty expires, and .Cm permissive , -which allows new connections by removing existing penalties early. +which allows new connections by removing existing penalties early +(default: permissive). .El .It Cm PerSourcePenaltyExemptList Specifies a comma-separated list of addresses to exempt from penalties. -- 2.20.1