OpenSSH features a built-in PerSourcePenalties configuration (introduced in v9.8) designed to mitigate brute-force attacks by temporarily blocking client IP addresses with repeated authentication failures.
As a result, the script cannot find the password with values:
declare delay="0.04" # delay between attempts in seconds
declare max_jobs="0" # max parallel SSH jobs; 0 = unlimited
declare max_retries="50" # max retries per attempt on SSH errors (3, 255)
Replication:
./getsshpass.sh -a 127.0.0.1 -p 22 -u username.txt -d rockyou.txt
- We have an OpenSSH server with PerSourcePenalties enabled (default since v9.8) and we launch an attack against it.
- After a few unsuccessful attempts the server starts dropping SSH connections and the script receives return value 255.
- The script retries 50× with 0.04s delay = ~2 seconds total until max_retries is exhausted:
if (( retries >= max_retries )); then
msg_warn \
"Max retries (${max_retries}) reached" \
"for user '${user}', password '${pass}'"
return
fi
- The password is silently skipped and the entire wordlist is processed without a match – even though the correct password was present in the wordlist.
Note: The script can find the password when PerSourcePenalties is disabled in sshd_config (PerSourcePenalties no) or we slow the attack with -w = 5 and -j = 1.
OpenSSH features a built-in PerSourcePenalties configuration (introduced in v9.8) designed to mitigate brute-force attacks by temporarily blocking client IP addresses with repeated authentication failures.
As a result, the script cannot find the password with values:
declare delay="0.04" # delay between attempts in seconds
declare max_jobs="0" # max parallel SSH jobs; 0 = unlimited
declare max_retries="50" # max retries per attempt on SSH errors (3, 255)
Replication:
./getsshpass.sh -a 127.0.0.1 -p 22 -u username.txt -d rockyou.txt
Note: The script can find the password when PerSourcePenalties is disabled in sshd_config (PerSourcePenalties no) or we slow the attack with -w = 5 and -j = 1.