I recently upgraded a server to Debian Trixy, and I noticed some new lines in /var/log/auth.log:
2025-11-30T00:17:48.220870+00:00 WEB sshd[55238]: srclimit_penalise: ipv4: new 1.2.3.4/32 active penalty of 1s seconds for penalty: connections without attempting authentication
After a little searching, I found that the new version of the SSH server included with Trixy had a new directive PerSourcePenalties.
This directive allows you to automatically deny login requests from IPs that have committed login failures and exceeded your configured maximum. Like Fail2Ban, but not using a firewall.
On the server, I have the following set:
LoginGraceTime 3s
PermitRootLogin prohibit-password
MaxAuthTries 3
AllowUsers <USERS>
These are all set very low because I am the only administrator of the server.
PerSourcePenalties enables me to deny any IP address that uses a non-permitted user, times out their login, attempts to use a password, or tries more than three times. These are all common bot and attack modes of login failure.
The configuration is straightforward. I have added the following line to /etc/ssh/sshd_config:
PerSourcePenalties noauth:24h authfail:24h grace-exceeded:24h
This blocks any offending IP for 24 hours. You can change the times to m or s if you want to set a smaller timeout.
Save and exit your editor. However…
Important!
Whenever you modify /etc/sshd_config, there is a chance you will make a typo, and SSH won’t restart afterward, locking you out of your server.
Avoid this by always doing the following before restarting SSH:
- Open a second terminal and SSH into your server.
- In the first terminal, confirm that
sshd_configis good by running the following config checking command:
sshd -t
If you don’t get any output, your config is good. Any errors will be listed, e.g.:
sshd -t
/etc/ssh/sshd_config line 60: no argument after keyword "asdf"
/etc/ssh/sshd_config: terminating, 1 bad configuration options
- Log out and log back in with ONE of your terminals. If you can’t log back in, use the other terminal to correct the issue with your config.
This works because any sessions that are open when you restart SSH will not get restarted and will use the old config.
This process has saved me from an(other) embarrassing call to the DC chaps to plug in the crash cart to get SSH back online.
Result
You will now have the pleasure of seeing lots and lots of naughty IP addresses being denied authentication attempts with lines like the following:
2025-11-30T07:47:11.502107+00:00 WEB sshd[55238]: drop connection #0 from [1.2.3.4]:59020 on [4.3.2.1]:22 penalty: connections without attempting authentication