diff --git a/servconf.c b/servconf.c index e3f05aa75..9f8ffe8b2 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -178,6 +178,7 @@ initialize_server_options(ServerOptions *options) options->per_source_penalty.penalty_authfail = -1; options->per_source_penalty.penalty_noauth = -1; options->per_source_penalty.penalty_grace = -1; + options->per_source_penalty.penalty_refuseconnection = -1; options->per_source_penalty.penalty_max = -1; options->per_source_penalty.penalty_min = -1; options->max_authtries = -1; @@ -440,6 +441,8 @@ fill_default_server_options(ServerOptions *options) options->per_source_penalty.penalty_authfail = 5; if (options->per_source_penalty.penalty_noauth == -1) options->per_source_penalty.penalty_noauth = 1; + if (options->per_source_penalty.penalty_refuseconnection == -1) + options->per_source_penalty.penalty_refuseconnection = 10; if (options->per_source_penalty.penalty_min == -1) options->per_source_penalty.penalty_min = 15; if (options->per_source_penalty.penalty_max == -1) @@ -2054,6 +2057,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, } else if (strncmp(arg, "grace-exceeded:", 15) == 0) { p = arg + 15; intptr = &options->per_source_penalty.penalty_grace; + } else if (strncmp(arg, "refuseconnection:", 17) == 0) { + p = arg + 17; + intptr = &options->per_source_penalty.penalty_refuseconnection; } else if (strncmp(arg, "max:", 4) == 0) { p = arg + 4; intptr = &options->per_source_penalty.penalty_max; @@ -3333,12 +3339,14 @@ dump_config(ServerOptions *o) if (o->per_source_penalty.enabled) { printf("persourcepenalties crash:%d authfail:%d noauth:%d " - "grace-exceeded:%d max:%d min:%d max-sources4:%d " - "max-sources6:%d overflow:%s overflow6:%s\n", + "grace-exceeded:%d refuseconnection: %d max:%d min:%d " + "max-sources4:%d max-sources6:%d " + "overflow:%s overflow6:%s\n", o->per_source_penalty.penalty_crash, o->per_source_penalty.penalty_authfail, o->per_source_penalty.penalty_noauth, o->per_source_penalty.penalty_grace, + o->per_source_penalty.penalty_refuseconnection, o->per_source_penalty.penalty_max, o->per_source_penalty.penalty_min, o->per_source_penalty.max_sources4, diff --git a/servconf.h b/servconf.h index f6d567049..ab6bcc0e2 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */ /* * Author: Tatu Ylonen @@ -77,6 +77,7 @@ struct per_source_penalty { int penalty_grace; int penalty_authfail; int penalty_noauth; + int penalty_refuseconnection; int penalty_max; int penalty_min; }; diff --git a/srclimit.c b/srclimit.c index 3dbdbf675..33116fa52 100644 --- a/srclimit.c +++ b/srclimit.c @@ -381,6 +381,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type) penalty_secs = penalty_cfg.penalty_noauth; reason = "penalty: connections without attempting authentication"; break; + case SRCLIMIT_PENALTY_REFUSECONNECTION: + penalty_secs = penalty_cfg.penalty_refuseconnection; + reason = "penalty: connection prohibited by RefuseConnection"; + break; case SRCLIMIT_PENALTY_GRACE_EXCEEDED: penalty_secs = penalty_cfg.penalty_crash; reason = "penalty: exceeded LoginGraceTime"; diff --git a/srclimit.h b/srclimit.h index 13164515b..77d951ba6 100644 --- a/srclimit.h +++ b/srclimit.h @@ -22,11 +22,12 @@ void srclimit_init(int, int, int, int, int srclimit_check_allow(int, int); void srclimit_done(int); -#define SRCLIMIT_PENALTY_NONE 0 -#define SRCLIMIT_PENALTY_CRASH 1 -#define SRCLIMIT_PENALTY_AUTHFAIL 2 -#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3 -#define SRCLIMIT_PENALTY_NOAUTH 4 +#define SRCLIMIT_PENALTY_NONE 0 +#define SRCLIMIT_PENALTY_CRASH 1 +#define SRCLIMIT_PENALTY_AUTHFAIL 2 +#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3 +#define SRCLIMIT_PENALTY_NOAUTH 4 +#define SRCLIMIT_PENALTY_REFUSECONNECTION 5 /* meaningful exit values, used by sshd listener for penalties */ #define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */ diff --git a/sshd.c b/sshd.c index 6827cedea..df76dc78c 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */ /* * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. * Copyright (c) 2002 Niels Provos. All rights reserved. @@ -381,6 +381,13 @@ child_reap(struct early_child *child) (long)child->pid, child->id, child->early ? " (early)" : ""); break; + case EXIT_CONFIG_REFUSED: + penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION; + debug_f("preauth child %ld for %s prohibited by" + "RefuseConnection %s", + (long)child->pid, child->id, + child->early ? " (early)" : ""); + break; default: penalty_type = SRCLIMIT_PENALTY_NOAUTH; debug_f("preauth child %ld for %s exited " diff --git a/sshd_config.5 b/sshd_config.5 index 56ed2bf1e..ce59843e5 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $ .Dd $Mdocdate: September 15 2024 $ .Dt SSHD_CONFIG 5 .Os @@ -1605,6 +1605,11 @@ Specifies how long to refuse clients that cause a crash of .It Cm authfail:duration Specifies how long to refuse clients that disconnect after making one or more unsuccessful authentication attempts (default: 5s). +.It Cm refuseconnection:duration +Specified how long to refuse clients that were administratively prohibited +connection via the +.Cm RefuseConnection +option (default: 10s). .It Cm noauth:duration Specifies how long to refuse clients that disconnect without attempting authentication (default: 1s). @@ -1766,6 +1771,11 @@ The default is Indicates that .Xr sshd 8 should unconditionally terminate the connection. +Additionally, a +.Cm refuseconnection +penalty may be recorded against the source of the connection of +.Cm PerSourcePenalties +are enabled. This option is only really useful in a .Cm Match block.