OpenSSH, currently developed as part of the OpenBSD project, has introduced new configuration options for its SSH daemon (sshd), which promise to mitigate malicious attempts at unauthorized access.
The update, spearheaded by developer Damien Miller, incorporates two key features: PerSourcePenalties and PerSourcePenaltyExemptList. These additions are designed to refine how sshd handles suspicious behavior from clients while ensuring that legitimate users are not unduly impacted.
The new PerSourcePenalties option enables sshd to monitor and respond to abnormal behavior detected during the SSH authentication process. When this feature is enabled, sshd tracks the exit statuses of its child pre-auth session processes to identify potentially harmful activities.
Examples of such activities include repeated failed login attempts, which may suggest an attempt to guess passwords, or actions that cause the sshd to crash, possibly indicating an exploit effort.
Under this system, if a client exhibits behavior that leads to a problematic exit status, sshd imposes a temporary penalty on the client’s IP address, blocking further connections from this address and others within the same network block for a specified duration.
This penalty period can increase with repeated offenses, up to a maximum threshold. Importantly, this feature is designed to adapt its response based on the severity and frequency of the offenses, making it a dynamic tool against network attacks.
Conversely, the PerSourcePenaltyExemptList allows administrators to specify IP addresses or ranges exempt from these penalties, ensuring that trusted clients do not face connection issues due to stringent security measures. This is particularly useful for addresses that may frequently trigger false positives in more sensitive environments.
Miller expressed optimism about the new features, noting that they “will make it significantly more difficult for attackers to find accounts with weak or guessable passwords or exploit bugs in sshd itself.”
He also indicated that while the PerSourcePenalties feature is currently off by default, it will likely be automatically enabled in future updates.
Many of you might be comparing the new feature to the popular Fail2Ban tool, and you’re right; they are quite functionally similar. But we’re talking about a native implementation of this functionality directly into sshd, which is fantastic.
However, it’s important to note that this doesn’t mean Fail2Ban is no longer useful. It has many extra features, like managing various types of authentication and treating different users in specific ways, so don’t rush to retire it when the new feature becomes available in your OpenSSH implementation.
For more information, visit the announcement in the OpenBSD Journal.
