upstream: Add a "refuseconnection" penalty class to sshd_config

PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
This commit is contained in:
djm@openbsd.org 2024-09-15 01:11:26 +00:00 committed by Damien Miller
parent 8d21713b66
commit 7875975136
No known key found for this signature in database
6 changed files with 42 additions and 11 deletions

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -178,6 +178,7 @@ initialize_server_options(ServerOptions *options)
options->per_source_penalty.penalty_authfail = -1;
options->per_source_penalty.penalty_noauth = -1;
options->per_source_penalty.penalty_grace = -1;
options->per_source_penalty.penalty_refuseconnection = -1;
options->per_source_penalty.penalty_max = -1;
options->per_source_penalty.penalty_min = -1;
options->max_authtries = -1;
@ -440,6 +441,8 @@ fill_default_server_options(ServerOptions *options)
options->per_source_penalty.penalty_authfail = 5;
if (options->per_source_penalty.penalty_noauth == -1)
options->per_source_penalty.penalty_noauth = 1;
if (options->per_source_penalty.penalty_refuseconnection == -1)
options->per_source_penalty.penalty_refuseconnection = 10;
if (options->per_source_penalty.penalty_min == -1)
options->per_source_penalty.penalty_min = 15;
if (options->per_source_penalty.penalty_max == -1)
@ -2054,6 +2057,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
} else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
p = arg + 15;
intptr = &options->per_source_penalty.penalty_grace;
} else if (strncmp(arg, "refuseconnection:", 17) == 0) {
p = arg + 17;
intptr = &options->per_source_penalty.penalty_refuseconnection;
} else if (strncmp(arg, "max:", 4) == 0) {
p = arg + 4;
intptr = &options->per_source_penalty.penalty_max;
@ -3333,12 +3339,14 @@ dump_config(ServerOptions *o)
if (o->per_source_penalty.enabled) {
printf("persourcepenalties crash:%d authfail:%d noauth:%d "
"grace-exceeded:%d max:%d min:%d max-sources4:%d "
"max-sources6:%d overflow:%s overflow6:%s\n",
"grace-exceeded:%d refuseconnection: %d max:%d min:%d "
"max-sources4:%d max-sources6:%d "
"overflow:%s overflow6:%s\n",
o->per_source_penalty.penalty_crash,
o->per_source_penalty.penalty_authfail,
o->per_source_penalty.penalty_noauth,
o->per_source_penalty.penalty_grace,
o->per_source_penalty.penalty_refuseconnection,
o->per_source_penalty.penalty_max,
o->per_source_penalty.penalty_min,
o->per_source_penalty.max_sources4,

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */
/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -77,6 +77,7 @@ struct per_source_penalty {
int penalty_grace;
int penalty_authfail;
int penalty_noauth;
int penalty_refuseconnection;
int penalty_max;
int penalty_min;
};

View File

@ -381,6 +381,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
penalty_secs = penalty_cfg.penalty_noauth;
reason = "penalty: connections without attempting authentication";
break;
case SRCLIMIT_PENALTY_REFUSECONNECTION:
penalty_secs = penalty_cfg.penalty_refuseconnection;
reason = "penalty: connection prohibited by RefuseConnection";
break;
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
penalty_secs = penalty_cfg.penalty_crash;
reason = "penalty: exceeded LoginGraceTime";

View File

@ -27,6 +27,7 @@ void srclimit_done(int);
#define SRCLIMIT_PENALTY_AUTHFAIL 2
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
#define SRCLIMIT_PENALTY_NOAUTH 4
#define SRCLIMIT_PENALTY_REFUSECONNECTION 5
/* meaningful exit values, used by sshd listener for penalties */
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */

9
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
/*
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
* Copyright (c) 2002 Niels Provos. All rights reserved.
@ -381,6 +381,13 @@ child_reap(struct early_child *child)
(long)child->pid, child->id,
child->early ? " (early)" : "");
break;
case EXIT_CONFIG_REFUSED:
penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
debug_f("preauth child %ld for %s prohibited by"
"RefuseConnection %s",
(long)child->pid, child->id,
child->early ? " (early)" : "");
break;
default:
penalty_type = SRCLIMIT_PENALTY_NOAUTH;
debug_f("preauth child %ld for %s exited "

View File

@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
@ -1605,6 +1605,11 @@ Specifies how long to refuse clients that cause a crash of
.It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more
unsuccessful authentication attempts (default: 5s).
.It Cm refuseconnection:duration
Specified how long to refuse clients that were administratively prohibited
connection via the
.Cm RefuseConnection
option (default: 10s).
.It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting
authentication (default: 1s).
@ -1766,6 +1771,11 @@ The default is
Indicates that
.Xr sshd 8
should unconditionally terminate the connection.
Additionally, a
.Cm refuseconnection
penalty may be recorded against the source of the connection of
.Cm PerSourcePenalties
are enabled.
This option is only really useful in a
.Cm Match
block.