OpenBSD Journal

OpenSSH introduces options to penalize undesirable behavior

Contributed by Peter N. M. Hansteen on from the sshd to carry a big stick dept.

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads,

List:       openbsd-cvs
Subject:    CVS: src
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2024-06-06 17:15:26

Module name:	src
Changes by:	2024/06/06 11:15:26

Modified files:
	usr.bin/ssh    : misc.c misc.h monitor.c monitor_wrap.c 
	                 servconf.c servconf.h srclimit.c srclimit.h 
	                 sshd-session.c sshd.c sshd_config.5 

Log message:
Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).

When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.

PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.

much feedback markus@ and others, ok markus@
This new facility comes in addition to the already well known and loved pf.conf state tracking options, and is for now available only in OpenBSD-current, but is almost certainly to be available in the upcoming OpenBSD 7.6 release.

At first we were wondering whether these options would be enabled by default before the new release. We did not have to wait long. This subsequent commit settled the issue:

List:       openbsd-cvs
Subject:    CVS: src
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2024-06-06 20:25:48

Module name:	src
Changes by:	2024/06/06 14:25:48

Modified files:
	usr.bin/ssh    : servconf.c 

Log message:
enable PerSourcePenalties by default.

ok markus

NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.

Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.
So now we know: starting with OpenBSD 7.6, PerSourcePenalties will be enabled by default, and admins who do not themselves run PF or other network translation mechanisms will need to keep the consequences of inconsiderate NAT use in mind.

(Comments are closed)

  1. By Anonymous Coward ( on

    seems like this is duplicating functionality of fail2ban, but in more security-critical code. any idea why implementing this as a seperate tool was not considered/done?

    1. By Stefan Sperling (stsp) on

      fail2ban cannot be used on OpenBSD. It's not even ported/packaged.

      1. By Anonymous Coward ( on

        Another package similar, sshguard, has been in ports for a long while, and AWK with PF have been in base for even longer. It would be interesting to know the motivation or goal as to why was this functionality was added to security-critical code.

        1. By Anonymous Coward ( on

          Securityfeatures enabled by defaut makes a big difference.
          Most sshd installs does not rely on fail2ban or loganalysis to kill the bots.

        2. By rjc (rjc) on

          If anything, this bring's to mind Peter's PF tutorial but bear in mind that PF isn't available everywhere where OpenSSH is.

          1. By Anonymous Coward (anonymouse) on

            PF connection rate controls are just that - and are easily tripped if you make repeated legitimate connections (for example if an anoncvs server is behind such a firewall, it's easy to trip via normal cvs operations). To avoid problems like that you need to be able to distinguish failed from valid connections.

    2. By Anonymous Coward (anonymouse) on

      It's fairy different actually. fail2ban and similar programs like sshguard are doing (relatively risky) log parsing and adjusting firewall rules. This new ssh feature only needs to do much simpler checks of an IP address (direct comparison without string parsing) and can react directly inside the single program sshd without having to go via the kernel to adjust a firewall.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]