OpenSSH Enhances Security with New Feature

OpenSSH tightens security with a new feature that aims to stop attackers in their tracks with smart penalties.

OpenSSH, currently developed as part of the OpenBSD project, has introduced new configuration options for its SSH daemon (sshd), which promise to mitigate malicious attempts at unauthorized access.

The update, spearheaded by developer Damien Miller, incorporates two key features: PerSourcePenalties and PerSourcePenaltyExemptList. These additions are designed to refine how sshd handles suspicious behavior from clients while ensuring that legitimate users are not unduly impacted.

The new PerSourcePenalties option enables sshd to monitor and respond to abnormal behavior detected during the SSH authentication process. When this feature is enabled, sshd tracks the exit statuses of its child pre-auth session processes to identify potentially harmful activities.

Examples of such activities include repeated failed login attempts, which may suggest an attempt to guess passwords, or actions that cause the sshd to crash, possibly indicating an exploit effort.

Under this system, if a client exhibits behavior that leads to a problematic exit status, sshd imposes a temporary penalty on the client’s IP address, blocking further connections from this address and others within the same network block for a specified duration.

This penalty period can increase with repeated offenses, up to a maximum threshold. Importantly, this feature is designed to adapt its response based on the severity and frequency of the offenses, making it a dynamic tool against network attacks.

Conversely, the PerSourcePenaltyExemptList allows administrators to specify IP addresses or ranges exempt from these penalties, ensuring that trusted clients do not face connection issues due to stringent security measures. This is particularly useful for addresses that may frequently trigger false positives in more sensitive environments.

Miller expressed optimism about the new features, noting that they “will make it significantly more difficult for attackers to find accounts with weak or guessable passwords or exploit bugs in sshd itself.”

He also indicated that while the PerSourcePenalties feature is currently off by default, it will likely be automatically enabled in future updates.

Many of you might be comparing the new feature to the popular Fail2Ban tool, and you’re right; they are quite functionally similar. But we’re talking about a native implementation of this functionality directly into sshd, which is fantastic.

However, it’s important to note that this doesn’t mean Fail2Ban is no longer useful. It has many extra features, like managing various types of authentication and treating different users in specific ways, so don’t rush to retire it when the new feature becomes available in your OpenSSH implementation.

For more information, visit the announcement in the OpenBSD Journal.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%