upstream: Add a "refuseconnection" penalty class to sshd_config

PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6

1 files changed, 11 insertions, 1 deletions

diff --git a/sshd_config.5 b/sshd_config.5
index 56ed2bf1e..ce59843e5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
 .Dd $Mdocdate: September 15 2024 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -1605,6 +1605,11 @@ Specifies how long to refuse clients that cause a crash of
 .It Cm authfail:duration
 Specifies how long to refuse clients that disconnect after making one or more
 unsuccessful authentication attempts (default: 5s).
+.It Cm refuseconnection:duration
+Specified how long to refuse clients that were administratively prohibited
+connection via the
+.Cm RefuseConnection
+option (default: 10s).
 .It Cm noauth:duration
 Specifies how long to refuse clients that disconnect without attempting
 authentication (default: 1s).
@@ -1766,6 +1771,11 @@ The default is
 Indicates that
 .Xr sshd 8
 should unconditionally terminate the connection.
+Additionally, a
+.Cm refuseconnection
+penalty may be recorded against the source of the connection of
+.Cm PerSourcePenalties
+are enabled.
 This option is only really useful in a
 .Cm Match
 block.