From bd1f74741daabeaf20939a85cd8cec08c76d0bec Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 6 Jun 2024 20:20:42 +0000 Subject: [PATCH] upstream: mention that PerSourcePenalties don't affect concurrent in-progress connections. OpenBSD-Commit-ID: 20389da6264f2c97ac3463edfaa1182c212d420c --- sshd_config.5 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sshd_config.5 b/sshd_config.5 index d4d01c06d..94aaef9fe 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.356 2024/06/06 17:15:25 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.357 2024/06/06 20:20:42 djm Exp $ .Dd $Mdocdate: June 6 2024 $ .Dt SSHD_CONFIG 5 .Os @@ -1564,8 +1564,9 @@ If a penalty is enforced against a client then its source address and any others in the .Cm PerSourceNetBlockSize will be refused connection for a period. -Multiple penalties from the same source from concurrent connections will -accumulate up to a maximum. +A penalty doesn't affect concurrent connections in progress, but multiple +penalties from the same source from concurrent connections will accumulate +up to a maximum. Conversely, penalties are not applied until a minimum threshold time has been accumulated. Penalties are off by default but may be enabled using default settings using the