diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2024-06-13 00:36:00 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2024-06-13 00:36:41 +0200 |
| commit | 4de80ff4e6fab5a6bb0028e7d57c6c23d1485adb (patch) | |
| tree | 680220594ec121af6cc97bbfc5abfb42adfced73 /sshd_config.5 | |
| parent | upstream: do not mark up "(default: 20ms)"; (diff) | |
| download | openssh-4de80ff4e6fab5a6bb0028e7d57c6c23d1485adb.tar.xz openssh-4de80ff4e6fab5a6bb0028e7d57c6c23d1485adb.zip | |
upstream: split PerSourcePenalties address tracking. Previously it
used one shared table and overflow policy for IPv4 and IPv6 addresses, now it
will use separate tables and optionally different overflow policies.
This prevents misbehaviour from IPv6 addresses (which are vastly easier
to obtain many of) from affecting IPv4 connections and may allow for
stricter overflow policies.
ok deraadt@
OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
Diffstat (limited to 'sshd_config.5')
| -rw-r--r-- | sshd_config.5 | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index ff2d116a4..550c11cc9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.360 2024/06/11 05:24:39 jmc Exp $ -.Dd $Mdocdate: June 11 2024 $ +.\" $OpenBSD: sshd_config.5,v 1.361 2024/06/12 22:36:00 djm Exp $ +.Dd $Mdocdate: June 12 2024 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1603,12 +1603,14 @@ Repeated penalties will accumulate up to this maximum. .It Cm min:duration Specifies the minimum penalty that must accrue before enforcement begins (default: 15s). -.It Cm max-sources:number -Specifies the maximum number of penalise client address ranges to track -(default: 65536). +.It Cm max-sources4:number max-sources6:number +Specifies the maximum number of client IPv4 and IPv6 address ranges to +track for penalties (default: 65536 for both). .It Cm overflow:mode Controls how the server behaves when -.Cm max-sources +.Cm max-sources4 +or +.Cm max-sources6 is exceeded. There are two operating modes: .Cm deny-all , @@ -1618,6 +1620,14 @@ until a penalty expires, and .Cm permissive , which allows new connections by removing existing penalties early (default: permissive). +Note that client penalties below the +.Cm min +threshold count against the total number of tracked penalties. +IPv4 and IPv6 addresses are tracked separately, so an overflow in one will +not affect the other. +.It Cm overflow6:mode +Allows specifying a different overflow mode for IPv6 addresses. +The default it to use the same overflow mode as was specified for IPv4. .El .It Cm PerSourcePenaltyExemptList Specifies a comma-separated list of addresses to exempt from penalties. |