opnsense
[OpenSSH] Make the PerSourcePenalties configuration available in GUI
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Is your feature request related to a problem? Please describe.
OpenSSH has a new feafure since 9.7 release.
This is enabled by default (see below). While the defaults seem to be pretty sensible, admins may want to at add exemptions, or possibly harden / relax the parameters for this feature for distinct reasons / scenarios as described in the release notes - but currently this is not configurable in any way via GUI.
Describe the solution you like
Add some advanced configuration options for PerSourcePenalties, PerSourceNetBlockSize and PerSourcePenaltyExemptList.
Describe alternatives you considered
Not sure if there's a rewrite of the static PHP page in the works, if there is, probably it's better to include it there and leave the current mess alone.
Additional context
OpenBSD sshd_config(5) manpage
# sshd -G | grep -i PerSource
persourcepenaltyexemptlist none
persourcemaxstartups none
persourcenetblocksize 32:128
persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:20 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive
* [sshd(8)](https://man.openbsd.org/sshd.8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
