https://bugzilla.mindrot.org/show_bug.cgi?id=3851
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Damien Miller <[email protected]> --- > Does the current setting of PerSourcePenaltyExemptList apply to > connections that would be refused by MaxStartups settings? No, it only applies to PerSourcePenalties. > how about a new ExemptList but for MaxStartups? I'd like that too but it's unfortunately quite tricky given the current design of MaxStartups, which uses a fixed number of subprocess slots. We'd need to redesign this fairly substantially. A hacky workaround might be to run a 2nd instance of sshd and control access to it using firewall rules. > I'm also using PerSourceMaxStartups but lately the botnets are so > distributed that it doesn't make a difference. I find that heavily penalising clients that attempt invalid usernames makes a huge difference. E.g. > PerSourcePenalties refuseconnection:300 > # Allowlist root logins only from local addresses. > Match user root address 127.0.0.0/8,::1,192.168.0.0/16 > RefuseConnection no > # Penalise connection attempts to invalid usernames. > Match invalid-user > RefuseConnection yes > # Penalise other attempts to log in as root. > Match user root > RefuseConnection yes -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
