Openssh-10.1 contains fix (https://anongit.mindrot.org/openssh.git/commit/?id=eddd1d2daa64a6ab1a915ca88436fa41aede44d4)

for MaxStartup/PerSourceMaxStartups handling/accounting.

Please consider backporting this fix for rhel10.

(From 10.1 changelog(https://lwn.net/ml/all/dd12623ae86aa5eb@cvs.openbsd.org/)

these fixes could also be relevant:

• "sshd(8): Make the MaxStartups and PerSourceNetBlockSize options first-match-wins as advertised. bz3859"
• "sshd(8): log at level INFO when PerSourcePenalties actually blocks access to a source address range. Previously this was logged at level VERBOSE, which hid enforcement actions under default config settings. (https://anongit.mindrot.org/openssh.git/commit/?h=V_10_1&id=bc328144f149af07139a0f2c1329018cd85b86b7)"

).

What were you trying to do that didn't work?

Set

MaxStartups 10:30:60
PerSourceMaxStartups 6

PerSourcePenalties crash:180 authfail:8 noauth:3 grace-exceeded:20 max:900 min:10
PerSourcePenaltyExemptList your.ip.address/32

Then repeatedly login/exit, and pretty soon sshd will refuse connections. (even though there are no active ssh connections) Adding your address to PerSourcePenaltyExemptList doesn't seem to help.

And afaik I can tell after sshd starts refusing connections you'll need:

systemctl reload sshd

or connect from different address (if possible). Otherwise 

What is the impact of this issue to you?

I have to set PerSourceMaxStartups artificially high and periodically run

systemctl reload sshd to stop sshd from blocking access.

Please provide the package NVR for which the bug is seen:

openssh-server-9.9p1-7.el10_0.x86_64

How reproducible is this bug?:

Seems easily reproducible.

Steps to reproduce

1. Set config options from above (MaxStartups/PerSourceMaxStartups/PerSourcePenalties
2. Repeatedly login/logout from same address and sshd should start refusing connections.
3.  

Expected results

PerSourceMaxStartups 4, should allow at least one connection (if there're no other connection attempts).

Actual results