upstream: enable PerSourcePenalties by default.

ok markus

NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.

Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.

OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce

diff --git a/servconf.c b/servconf.c
index b04fb1048d6536f46d1e17fe412b1dda64911abd..4598ee373151e7e79bd5d7b77a9d302845036127 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.408 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.409 2024/06/06 20:25:48 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -413,7 +413,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->per_source_masklen_ipv6 == -1)
                options->per_source_masklen_ipv6 = 128;
        if (options->per_source_penalty.enabled == -1)
-               options->per_source_penalty.enabled = 0;
+               options->per_source_penalty.enabled = 1;
        if (options->per_source_penalty.max_sources == -1)
                options->per_source_penalty.max_sources = 65536;
        if (options->per_source_penalty.overflow_mode == -1)