RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: Add a "refuseconnection" penalty class to sshd_config 

PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
This commit is contained in:
djm@openbsd.org 2024-09-15 01:11:26 +00:00 committed by Damien Miller
parent 8d21713b66
commit 7875975136
No known key found for this signature in database
6 changed files with 42 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
servconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -178,6 +178,7 @@ initialize_server_options(ServerOptions *options)
options->per_source_penalty.penalty_authfail = -1; options->per_source_penalty.penalty_authfail = -1;
options->per_source_penalty.penalty_noauth = -1; options->per_source_penalty.penalty_noauth = -1;
options->per_source_penalty.penalty_grace = -1; options->per_source_penalty.penalty_grace = -1;
options->per_source_penalty.penalty_refuseconnection = -1;
options->per_source_penalty.penalty_max = -1; options->per_source_penalty.penalty_max = -1;
options->per_source_penalty.penalty_min = -1; options->per_source_penalty.penalty_min = -1;
options->max_authtries = -1; options->max_authtries = -1;
@ -440,6 +441,8 @@ fill_default_server_options(ServerOptions *options)
options->per_source_penalty.penalty_authfail = 5; options->per_source_penalty.penalty_authfail = 5;
if (options->per_source_penalty.penalty_noauth == -1) if (options->per_source_penalty.penalty_noauth == -1)
options->per_source_penalty.penalty_noauth = 1; options->per_source_penalty.penalty_noauth = 1;
if (options->per_source_penalty.penalty_refuseconnection == -1)
options->per_source_penalty.penalty_refuseconnection = 10;
if (options->per_source_penalty.penalty_min == -1) if (options->per_source_penalty.penalty_min == -1)
options->per_source_penalty.penalty_min = 15; options->per_source_penalty.penalty_min = 15;
if (options->per_source_penalty.penalty_max == -1) if (options->per_source_penalty.penalty_max == -1)
@ -2054,6 +2057,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
} else if (strncmp(arg, "grace-exceeded:", 15) == 0) { } else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
p = arg + 15; p = arg + 15;
intptr = &options->per_source_penalty.penalty_grace; intptr = &options->per_source_penalty.penalty_grace;
} else if (strncmp(arg, "refuseconnection:", 17) == 0) {
p = arg + 17;
intptr = &options->per_source_penalty.penalty_refuseconnection;
} else if (strncmp(arg, "max:", 4) == 0) { } else if (strncmp(arg, "max:", 4) == 0) {
p = arg + 4; p = arg + 4;
intptr = &options->per_source_penalty.penalty_max; intptr = &options->per_source_penalty.penalty_max;
@ -3333,12 +3339,14 @@ dump_config(ServerOptions *o)
if (o->per_source_penalty.enabled) { if (o->per_source_penalty.enabled) {
printf("persourcepenalties crash:%d authfail:%d noauth:%d " printf("persourcepenalties crash:%d authfail:%d noauth:%d "
"grace-exceeded:%d max:%d min:%d max-sources4:%d " "grace-exceeded:%d refuseconnection: %d max:%d min:%d "
"max-sources6:%d overflow:%s overflow6:%s\n", "max-sources4:%d max-sources6:%d "
"overflow:%s overflow6:%s\n",
o->per_source_penalty.penalty_crash, o->per_source_penalty.penalty_crash,
o->per_source_penalty.penalty_authfail, o->per_source_penalty.penalty_authfail,
o->per_source_penalty.penalty_noauth, o->per_source_penalty.penalty_noauth,
o->per_source_penalty.penalty_grace, o->per_source_penalty.penalty_grace,
o->per_source_penalty.penalty_refuseconnection,
o->per_source_penalty.penalty_max, o->per_source_penalty.penalty_max,
o->per_source_penalty.penalty_min, o->per_source_penalty.penalty_min,
o->per_source_penalty.max_sources4, o->per_source_penalty.max_sources4,

3
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */ /* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -77,6 +77,7 @@ struct per_source_penalty {
int penalty_grace; int penalty_grace;
int penalty_authfail; int penalty_authfail;
int penalty_noauth; int penalty_noauth;
int penalty_refuseconnection;
int penalty_max; int penalty_max;
int penalty_min; int penalty_min;
}; };

4
srclimit.c
View File

@ -381,6 +381,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
penalty_secs = penalty_cfg.penalty_noauth; penalty_secs = penalty_cfg.penalty_noauth;
reason = "penalty: connections without attempting authentication"; reason = "penalty: connections without attempting authentication";
break; break;
case SRCLIMIT_PENALTY_REFUSECONNECTION:
penalty_secs = penalty_cfg.penalty_refuseconnection;
reason = "penalty: connection prohibited by RefuseConnection";
break;
case SRCLIMIT_PENALTY_GRACE_EXCEEDED: case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
penalty_secs = penalty_cfg.penalty_crash; penalty_secs = penalty_cfg.penalty_crash;
reason = "penalty: exceeded LoginGraceTime"; reason = "penalty: exceeded LoginGraceTime";

11
srclimit.h
View File

@ -22,11 +22,12 @@ void srclimit_init(int, int, int, int,
int srclimit_check_allow(int, int); int srclimit_check_allow(int, int);
void srclimit_done(int); void srclimit_done(int);
#define SRCLIMIT_PENALTY_NONE 0 #define SRCLIMIT_PENALTY_NONE 0
#define SRCLIMIT_PENALTY_CRASH 1 #define SRCLIMIT_PENALTY_CRASH 1
#define SRCLIMIT_PENALTY_AUTHFAIL 2 #define SRCLIMIT_PENALTY_AUTHFAIL 2
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3 #define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
#define SRCLIMIT_PENALTY_NOAUTH 4 #define SRCLIMIT_PENALTY_NOAUTH 4
#define SRCLIMIT_PENALTY_REFUSECONNECTION 5
/* meaningful exit values, used by sshd listener for penalties */ /* meaningful exit values, used by sshd listener for penalties */
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */ #define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */

9
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */ /* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
* Copyright (c) 2002 Niels Provos. All rights reserved. * Copyright (c) 2002 Niels Provos. All rights reserved.
@ -381,6 +381,13 @@ child_reap(struct early_child *child)
(long)child->pid, child->id, (long)child->pid, child->id,
child->early ? " (early)" : ""); child->early ? " (early)" : "");
break; break;
case EXIT_CONFIG_REFUSED:
penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
debug_f("preauth child %ld for %s prohibited by"
"RefuseConnection %s",
(long)child->pid, child->id,
child->early ? " (early)" : "");
break;
default: default:
penalty_type = SRCLIMIT_PENALTY_NOAUTH; penalty_type = SRCLIMIT_PENALTY_NOAUTH;
debug_f("preauth child %ld for %s exited " debug_f("preauth child %ld for %s exited "

12
sshd_config.5
View File

@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
.Dd $Mdocdate: September 15 2024 $ .Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
@ -1605,6 +1605,11 @@ Specifies how long to refuse clients that cause a crash of
.It Cm authfail:duration .It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more Specifies how long to refuse clients that disconnect after making one or more
unsuccessful authentication attempts (default: 5s). unsuccessful authentication attempts (default: 5s).
.It Cm refuseconnection:duration
Specified how long to refuse clients that were administratively prohibited
connection via the
.Cm RefuseConnection
option (default: 10s).
.It Cm noauth:duration .It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting Specifies how long to refuse clients that disconnect without attempting
authentication (default: 1s). authentication (default: 1s).
@ -1766,6 +1771,11 @@ The default is
Indicates that Indicates that
.Xr sshd 8 .Xr sshd 8
should unconditionally terminate the connection. should unconditionally terminate the connection.
Additionally, a
.Cm refuseconnection
penalty may be recorded against the source of the connection of
.Cm PerSourcePenalties
are enabled.
This option is only really useful in a This option is only really useful in a
.Cm Match .Cm Match
block. block.