2021-01-09 12:10:02 +00:00
|
|
|
/*
|
|
|
|
* Copyright (c) 2020 Darren Tucker <dtucker@openbsd.org>
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
*/
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 17:15:25 +00:00
|
|
|
struct xaddr;
|
|
|
|
|
|
|
|
struct per_source_penalty;
|
|
|
|
|
|
|
|
void srclimit_init(int, int, int, int,
|
|
|
|
struct per_source_penalty *, const char *);
|
2021-01-09 12:10:02 +00:00
|
|
|
int srclimit_check_allow(int, int);
|
|
|
|
void srclimit_done(int);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 17:15:25 +00:00
|
|
|
|
|
|
|
#define SRCLIMIT_PENALTY_NONE 0
|
|
|
|
#define SRCLIMIT_PENALTY_CRASH 1
|
|
|
|
#define SRCLIMIT_PENALTY_AUTHFAIL 2
|
|
|
|
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
|
|
|
|
#define SRCLIMIT_PENALTY_NOAUTH 4
|
|
|
|
|
|
|
|
/* meaningful exit values, used by sshd listener for penalties */
|
|
|
|
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */
|
|
|
|
#define EXIT_CHILD_CRASH 4 /* preauth child crashed */
|
|
|
|
#define EXIT_AUTH_ATTEMPTED 5 /* at least one auth attempt made */
|
|
|
|
|
|
|
|
void srclimit_penalise(struct xaddr *, int);
|
|
|
|
int srclimit_penalty_check_allow(int, const char **);
|
|
|
|
void srclimit_penalty_info(void);
|