mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-27 05:46:36 +08:00
upstream: Add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties This allows penalising connection sources that have had connections dropped by the RefuseConnection option. ok markus@ OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
This commit is contained in:
parent
8d21713b66
commit
7875975136
14
servconf.c
14
servconf.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -178,6 +178,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->per_source_penalty.penalty_authfail = -1;
|
||||
options->per_source_penalty.penalty_noauth = -1;
|
||||
options->per_source_penalty.penalty_grace = -1;
|
||||
options->per_source_penalty.penalty_refuseconnection = -1;
|
||||
options->per_source_penalty.penalty_max = -1;
|
||||
options->per_source_penalty.penalty_min = -1;
|
||||
options->max_authtries = -1;
|
||||
@ -440,6 +441,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->per_source_penalty.penalty_authfail = 5;
|
||||
if (options->per_source_penalty.penalty_noauth == -1)
|
||||
options->per_source_penalty.penalty_noauth = 1;
|
||||
if (options->per_source_penalty.penalty_refuseconnection == -1)
|
||||
options->per_source_penalty.penalty_refuseconnection = 10;
|
||||
if (options->per_source_penalty.penalty_min == -1)
|
||||
options->per_source_penalty.penalty_min = 15;
|
||||
if (options->per_source_penalty.penalty_max == -1)
|
||||
@ -2054,6 +2057,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
} else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
|
||||
p = arg + 15;
|
||||
intptr = &options->per_source_penalty.penalty_grace;
|
||||
} else if (strncmp(arg, "refuseconnection:", 17) == 0) {
|
||||
p = arg + 17;
|
||||
intptr = &options->per_source_penalty.penalty_refuseconnection;
|
||||
} else if (strncmp(arg, "max:", 4) == 0) {
|
||||
p = arg + 4;
|
||||
intptr = &options->per_source_penalty.penalty_max;
|
||||
@ -3333,12 +3339,14 @@ dump_config(ServerOptions *o)
|
||||
|
||||
if (o->per_source_penalty.enabled) {
|
||||
printf("persourcepenalties crash:%d authfail:%d noauth:%d "
|
||||
"grace-exceeded:%d max:%d min:%d max-sources4:%d "
|
||||
"max-sources6:%d overflow:%s overflow6:%s\n",
|
||||
"grace-exceeded:%d refuseconnection: %d max:%d min:%d "
|
||||
"max-sources4:%d max-sources6:%d "
|
||||
"overflow:%s overflow6:%s\n",
|
||||
o->per_source_penalty.penalty_crash,
|
||||
o->per_source_penalty.penalty_authfail,
|
||||
o->per_source_penalty.penalty_noauth,
|
||||
o->per_source_penalty.penalty_grace,
|
||||
o->per_source_penalty.penalty_refuseconnection,
|
||||
o->per_source_penalty.penalty_max,
|
||||
o->per_source_penalty.penalty_min,
|
||||
o->per_source_penalty.max_sources4,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -77,6 +77,7 @@ struct per_source_penalty {
|
||||
int penalty_grace;
|
||||
int penalty_authfail;
|
||||
int penalty_noauth;
|
||||
int penalty_refuseconnection;
|
||||
int penalty_max;
|
||||
int penalty_min;
|
||||
};
|
||||
|
@ -381,6 +381,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
|
||||
penalty_secs = penalty_cfg.penalty_noauth;
|
||||
reason = "penalty: connections without attempting authentication";
|
||||
break;
|
||||
case SRCLIMIT_PENALTY_REFUSECONNECTION:
|
||||
penalty_secs = penalty_cfg.penalty_refuseconnection;
|
||||
reason = "penalty: connection prohibited by RefuseConnection";
|
||||
break;
|
||||
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
|
||||
penalty_secs = penalty_cfg.penalty_crash;
|
||||
reason = "penalty: exceeded LoginGraceTime";
|
||||
|
@ -27,6 +27,7 @@ void srclimit_done(int);
|
||||
#define SRCLIMIT_PENALTY_AUTHFAIL 2
|
||||
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
|
||||
#define SRCLIMIT_PENALTY_NOAUTH 4
|
||||
#define SRCLIMIT_PENALTY_REFUSECONNECTION 5
|
||||
|
||||
/* meaningful exit values, used by sshd listener for penalties */
|
||||
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */
|
||||
|
9
sshd.c
9
sshd.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2002 Niels Provos. All rights reserved.
|
||||
@ -381,6 +381,13 @@ child_reap(struct early_child *child)
|
||||
(long)child->pid, child->id,
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
case EXIT_CONFIG_REFUSED:
|
||||
penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
|
||||
debug_f("preauth child %ld for %s prohibited by"
|
||||
"RefuseConnection %s",
|
||||
(long)child->pid, child->id,
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
default:
|
||||
penalty_type = SRCLIMIT_PENALTY_NOAUTH;
|
||||
debug_f("preauth child %ld for %s exited "
|
||||
|
@ -33,7 +33,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
|
||||
.Dd $Mdocdate: September 15 2024 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
@ -1605,6 +1605,11 @@ Specifies how long to refuse clients that cause a crash of
|
||||
.It Cm authfail:duration
|
||||
Specifies how long to refuse clients that disconnect after making one or more
|
||||
unsuccessful authentication attempts (default: 5s).
|
||||
.It Cm refuseconnection:duration
|
||||
Specified how long to refuse clients that were administratively prohibited
|
||||
connection via the
|
||||
.Cm RefuseConnection
|
||||
option (default: 10s).
|
||||
.It Cm noauth:duration
|
||||
Specifies how long to refuse clients that disconnect without attempting
|
||||
authentication (default: 1s).
|
||||
@ -1766,6 +1771,11 @@ The default is
|
||||
Indicates that
|
||||
.Xr sshd 8
|
||||
should unconditionally terminate the connection.
|
||||
Additionally, a
|
||||
.Cm refuseconnection
|
||||
penalty may be recorded against the source of the connection of
|
||||
.Cm PerSourcePenalties
|
||||
are enabled.
|
||||
This option is only really useful in a
|
||||
.Cm Match
|
||||
block.
|
||||
|
Loading…
Reference in New Issue
Block a user