2021-01-09 13:10:02 +01:00
|
|
|
/*
|
|
|
|
* Copyright (c) 2020 Darren Tucker <dtucker@openbsd.org>
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
* Copyright (c) 2024 Damien Miller <djm@mindrot.org>
|
2021-01-09 13:10:02 +01:00
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "includes.h"
|
|
|
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/types.h>
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
#include <openbsd-compat/sys-tree.h>
|
2021-01-09 13:10:02 +01:00
|
|
|
|
|
|
|
#include <limits.h>
|
|
|
|
#include <netdb.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
#include <stdlib.h>
|
2021-01-09 13:10:02 +01:00
|
|
|
|
|
|
|
#include "addr.h"
|
|
|
|
#include "canohost.h"
|
|
|
|
#include "log.h"
|
|
|
|
#include "misc.h"
|
|
|
|
#include "srclimit.h"
|
|
|
|
#include "xmalloc.h"
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
#include "servconf.h"
|
|
|
|
#include "match.h"
|
2021-01-09 13:10:02 +01:00
|
|
|
|
|
|
|
static int max_children, max_persource, ipv4_masklen, ipv6_masklen;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
static struct per_source_penalty penalty_cfg;
|
|
|
|
static char *penalty_exempt;
|
2021-01-09 13:10:02 +01:00
|
|
|
|
|
|
|
/* Per connection state, used to enforce unauthenticated connection limit. */
|
|
|
|
static struct child_info {
|
|
|
|
int id;
|
|
|
|
struct xaddr addr;
|
2024-06-07 15:23:30 +02:00
|
|
|
} *children;
|
2021-01-09 13:10:02 +01:00
|
|
|
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
/*
|
|
|
|
* Penalised addresses, active entries here prohibit connections until expired.
|
|
|
|
* Entries become active when more than penalty_min seconds of penalty are
|
|
|
|
* outstanding.
|
|
|
|
*/
|
|
|
|
struct penalty {
|
|
|
|
struct xaddr addr;
|
|
|
|
time_t expiry;
|
|
|
|
int active;
|
|
|
|
const char *reason;
|
|
|
|
RB_ENTRY(penalty) by_addr;
|
|
|
|
RB_ENTRY(penalty) by_expiry;
|
|
|
|
};
|
|
|
|
static int penalty_addr_cmp(struct penalty *a, struct penalty *b);
|
|
|
|
static int penalty_expiry_cmp(struct penalty *a, struct penalty *b);
|
2024-06-13 00:36:00 +02:00
|
|
|
RB_HEAD(penalties_by_addr, penalty) penalties_by_addr4, penalties_by_addr6;
|
|
|
|
RB_HEAD(penalties_by_expiry, penalty) penalties_by_expiry4, penalties_by_expiry6;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
RB_GENERATE_STATIC(penalties_by_addr, penalty, by_addr, penalty_addr_cmp)
|
|
|
|
RB_GENERATE_STATIC(penalties_by_expiry, penalty, by_expiry, penalty_expiry_cmp)
|
2024-06-13 00:36:00 +02:00
|
|
|
static size_t npenalties4, npenalties6;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
|
|
|
|
static int
|
|
|
|
srclimit_mask_addr(const struct xaddr *addr, int bits, struct xaddr *masked)
|
|
|
|
{
|
|
|
|
struct xaddr xmask;
|
|
|
|
|
|
|
|
/* Mask address off address to desired size. */
|
|
|
|
if (addr_netmask(addr->af, bits, &xmask) != 0 ||
|
|
|
|
addr_and(masked, addr, &xmask) != 0) {
|
|
|
|
debug3_f("%s: invalid mask %d bits", __func__, bits);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
srclimit_peer_addr(int sock, struct xaddr *addr)
|
|
|
|
{
|
|
|
|
struct sockaddr_storage storage;
|
|
|
|
socklen_t addrlen = sizeof(storage);
|
|
|
|
struct sockaddr *sa = (struct sockaddr *)&storage;
|
|
|
|
|
|
|
|
if (getpeername(sock, sa, &addrlen) != 0)
|
|
|
|
return 1; /* not remote socket? */
|
|
|
|
if (addr_sa_to_xaddr(sa, addrlen, addr) != 0)
|
|
|
|
return 1; /* unknown address family? */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-01-09 13:10:02 +01:00
|
|
|
void
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
srclimit_init(int max, int persource, int ipv4len, int ipv6len,
|
|
|
|
struct per_source_penalty *penalty_conf, const char *penalty_exempt_conf)
|
2021-01-09 13:10:02 +01:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
max_children = max;
|
|
|
|
ipv4_masklen = ipv4len;
|
|
|
|
ipv6_masklen = ipv6len;
|
|
|
|
max_persource = persource;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
penalty_cfg = *penalty_conf;
|
2024-06-13 00:36:00 +02:00
|
|
|
if (penalty_cfg.max_sources4 < 0 || penalty_cfg.max_sources6 < 0)
|
|
|
|
fatal_f("invalid max_sources"); /* shouldn't happen */
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
penalty_exempt = penalty_exempt_conf == NULL ?
|
|
|
|
NULL : xstrdup(penalty_exempt_conf);
|
2024-06-13 00:36:00 +02:00
|
|
|
RB_INIT(&penalties_by_addr4);
|
|
|
|
RB_INIT(&penalties_by_expiry4);
|
|
|
|
RB_INIT(&penalties_by_addr6);
|
|
|
|
RB_INIT(&penalties_by_expiry6);
|
2021-01-09 13:10:02 +01:00
|
|
|
if (max_persource == INT_MAX) /* no limit */
|
|
|
|
return;
|
|
|
|
debug("%s: max connections %d, per source %d, masks %d,%d", __func__,
|
|
|
|
max, persource, ipv4len, ipv6len);
|
|
|
|
if (max <= 0)
|
|
|
|
fatal("%s: invalid number of sockets: %d", __func__, max);
|
2024-06-07 15:23:30 +02:00
|
|
|
children = xcalloc(max_children, sizeof(*children));
|
2021-01-09 13:10:02 +01:00
|
|
|
for (i = 0; i < max_children; i++)
|
2024-06-07 15:23:30 +02:00
|
|
|
children[i].id = -1;
|
2021-01-09 13:10:02 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* returns 1 if connection allowed, 0 if not allowed. */
|
|
|
|
int
|
|
|
|
srclimit_check_allow(int sock, int id)
|
|
|
|
{
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
struct xaddr xa, xb;
|
2021-01-09 13:10:02 +01:00
|
|
|
int i, bits, first_unused, count = 0;
|
|
|
|
char xas[NI_MAXHOST];
|
|
|
|
|
|
|
|
if (max_persource == INT_MAX) /* no limit */
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
debug("%s: sock %d id %d limit %d", __func__, sock, id, max_persource);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
if (srclimit_peer_addr(sock, &xa) != 0)
|
|
|
|
return 1;
|
2021-01-09 13:10:02 +01:00
|
|
|
bits = xa.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
if (srclimit_mask_addr(&xa, bits, &xb) != 0)
|
2021-01-09 13:10:02 +01:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
first_unused = max_children;
|
|
|
|
/* Count matching entries and find first unused one. */
|
|
|
|
for (i = 0; i < max_children; i++) {
|
2024-06-07 15:23:30 +02:00
|
|
|
if (children[i].id == -1) {
|
2021-01-09 13:10:02 +01:00
|
|
|
if (i < first_unused)
|
|
|
|
first_unused = i;
|
2024-06-07 15:23:30 +02:00
|
|
|
} else if (addr_cmp(&children[i].addr, &xb) == 0) {
|
2021-01-09 13:10:02 +01:00
|
|
|
count++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (addr_ntop(&xa, xas, sizeof(xas)) != 0) {
|
|
|
|
debug3("%s: addr ntop failed", __func__);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
debug3("%s: new unauthenticated connection from %s/%d, at %d of %d",
|
2021-04-03 08:18:40 +02:00
|
|
|
__func__, xas, bits, count, max_persource);
|
2021-01-09 13:10:02 +01:00
|
|
|
|
|
|
|
if (first_unused == max_children) { /* no free slot found */
|
|
|
|
debug3("%s: no free slot", __func__);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (first_unused < 0 || first_unused >= max_children)
|
|
|
|
fatal("%s: internal error: first_unused out of range",
|
|
|
|
__func__);
|
|
|
|
|
|
|
|
if (count >= max_persource)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* Connection allowed, store masked address. */
|
2024-06-07 15:23:30 +02:00
|
|
|
children[first_unused].id = id;
|
|
|
|
memcpy(&children[first_unused].addr, &xb, sizeof(xb));
|
2021-01-09 13:10:02 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
srclimit_done(int id)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (max_persource == INT_MAX) /* no limit */
|
|
|
|
return;
|
|
|
|
|
|
|
|
debug("%s: id %d", __func__, id);
|
|
|
|
/* Clear corresponding state entry. */
|
|
|
|
for (i = 0; i < max_children; i++) {
|
2024-06-07 15:23:30 +02:00
|
|
|
if (children[i].id == id) {
|
|
|
|
children[i].id = -1;
|
2021-01-09 13:10:02 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
|
|
|
|
static int
|
|
|
|
penalty_addr_cmp(struct penalty *a, struct penalty *b)
|
|
|
|
{
|
|
|
|
return addr_cmp(&a->addr, &b->addr);
|
|
|
|
/* Addresses must be unique in by_addr, so no need to tiebreak */
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
penalty_expiry_cmp(struct penalty *a, struct penalty *b)
|
|
|
|
{
|
|
|
|
if (a->expiry != b->expiry)
|
|
|
|
return a->expiry < b->expiry ? -1 : 1;
|
|
|
|
/* Tiebreak on addresses */
|
|
|
|
return addr_cmp(&a->addr, &b->addr);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2024-06-13 00:36:00 +02:00
|
|
|
expire_penalties_from_tree(time_t now, const char *t,
|
|
|
|
struct penalties_by_expiry *by_expiry,
|
|
|
|
struct penalties_by_addr *by_addr, size_t *npenaltiesp)
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
{
|
|
|
|
struct penalty *penalty, *tmp;
|
|
|
|
|
|
|
|
/* XXX avoid full scan of tree, e.g. min-heap */
|
2024-06-13 00:36:00 +02:00
|
|
|
RB_FOREACH_SAFE(penalty, penalties_by_expiry, by_expiry, tmp) {
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
if (penalty->expiry >= now)
|
|
|
|
break;
|
2024-06-13 00:36:00 +02:00
|
|
|
if (RB_REMOVE(penalties_by_expiry, by_expiry,
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
penalty) != penalty ||
|
2024-06-13 00:36:00 +02:00
|
|
|
RB_REMOVE(penalties_by_addr, by_addr,
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
penalty) != penalty)
|
2024-06-13 00:36:00 +02:00
|
|
|
fatal_f("internal error: %s penalty table corrupt", t);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
free(penalty);
|
2024-06-13 00:36:00 +02:00
|
|
|
if ((*npenaltiesp)-- == 0)
|
|
|
|
fatal_f("internal error: %s npenalties underflow", t);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-06-13 00:36:00 +02:00
|
|
|
static void
|
|
|
|
expire_penalties(time_t now)
|
|
|
|
{
|
|
|
|
expire_penalties_from_tree(now, "ipv4",
|
|
|
|
&penalties_by_expiry4, &penalties_by_addr4, &npenalties4);
|
|
|
|
expire_penalties_from_tree(now, "ipv6",
|
|
|
|
&penalties_by_expiry6, &penalties_by_addr6, &npenalties6);
|
|
|
|
}
|
|
|
|
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
static void
|
|
|
|
addr_masklen_ntop(struct xaddr *addr, int masklen, char *s, size_t slen)
|
|
|
|
{
|
|
|
|
size_t o;
|
|
|
|
|
|
|
|
if (addr_ntop(addr, s, slen) != 0) {
|
|
|
|
strlcpy(s, "UNKNOWN", slen);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if ((o = strlen(s)) < slen)
|
|
|
|
snprintf(s + o, slen - o, "/%d", masklen);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
srclimit_penalty_check_allow(int sock, const char **reason)
|
|
|
|
{
|
|
|
|
struct xaddr addr;
|
|
|
|
struct penalty find, *penalty;
|
|
|
|
time_t now;
|
2024-06-13 00:36:00 +02:00
|
|
|
int bits, max_sources, overflow_mode;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
char addr_s[NI_MAXHOST];
|
2024-06-13 00:36:00 +02:00
|
|
|
struct penalties_by_addr *by_addr;
|
|
|
|
size_t npenalties;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
|
|
|
|
if (!penalty_cfg.enabled)
|
|
|
|
return 1;
|
|
|
|
if (srclimit_peer_addr(sock, &addr) != 0)
|
|
|
|
return 1;
|
|
|
|
if (penalty_exempt != NULL) {
|
|
|
|
if (addr_ntop(&addr, addr_s, sizeof(addr_s)) != 0)
|
|
|
|
return 1; /* shouldn't happen */
|
|
|
|
if (addr_match_list(addr_s, penalty_exempt) == 1) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
2024-06-13 00:36:00 +02:00
|
|
|
now = monotime();
|
|
|
|
expire_penalties(now);
|
|
|
|
by_addr = addr.af == AF_INET ?
|
|
|
|
&penalties_by_addr4 : &penalties_by_addr6;
|
|
|
|
max_sources = addr.af == AF_INET ?
|
|
|
|
penalty_cfg.max_sources4 : penalty_cfg.max_sources6;
|
|
|
|
overflow_mode = addr.af == AF_INET ?
|
|
|
|
penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6;
|
|
|
|
npenalties = addr.af == AF_INET ? npenalties4 : npenalties6;
|
|
|
|
if (npenalties >= (size_t)max_sources &&
|
|
|
|
overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
*reason = "too many penalised addresses";
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
bits = addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
|
|
memset(&find, 0, sizeof(find));
|
|
|
|
if (srclimit_mask_addr(&addr, bits, &find.addr) != 0)
|
|
|
|
return 1;
|
2024-06-13 00:36:00 +02:00
|
|
|
if ((penalty = RB_FIND(penalties_by_addr, by_addr, &find)) == NULL)
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
return 1; /* no penalty */
|
|
|
|
if (penalty->expiry < now) {
|
|
|
|
expire_penalties(now);
|
|
|
|
return 1; /* expired penalty */
|
|
|
|
}
|
|
|
|
if (!penalty->active)
|
|
|
|
return 1; /* Penalty hasn't hit activation threshold yet */
|
|
|
|
*reason = penalty->reason;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2024-06-13 00:36:00 +02:00
|
|
|
srclimit_early_expire_penalties_from_tree(const char *t,
|
|
|
|
struct penalties_by_expiry *by_expiry,
|
|
|
|
struct penalties_by_addr *by_addr, size_t *npenaltiesp, size_t max_sources)
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
{
|
|
|
|
struct penalty *p = NULL;
|
|
|
|
int bits;
|
|
|
|
char s[NI_MAXHOST + 4];
|
|
|
|
|
|
|
|
/* Delete the soonest-to-expire penalties. */
|
2024-06-13 00:36:00 +02:00
|
|
|
while (*npenaltiesp > max_sources) {
|
|
|
|
if ((p = RB_MIN(penalties_by_expiry, by_expiry)) == NULL)
|
|
|
|
fatal_f("internal error: %s table corrupt (find)", t);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
|
|
addr_masklen_ntop(&p->addr, bits, s, sizeof(s));
|
2024-06-13 00:36:00 +02:00
|
|
|
debug3_f("%s overflow, remove %s", t, s);
|
|
|
|
if (RB_REMOVE(penalties_by_expiry, by_expiry, p) != p ||
|
|
|
|
RB_REMOVE(penalties_by_addr, by_addr, p) != p)
|
|
|
|
fatal_f("internal error: %s table corrupt (remove)", t);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
free(p);
|
2024-06-13 00:36:00 +02:00
|
|
|
(*npenaltiesp)--;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-06-13 00:36:00 +02:00
|
|
|
static void
|
|
|
|
srclimit_early_expire_penalties(void)
|
|
|
|
{
|
|
|
|
srclimit_early_expire_penalties_from_tree("ipv4",
|
|
|
|
&penalties_by_expiry4, &penalties_by_addr4, &npenalties4,
|
|
|
|
(size_t)penalty_cfg.max_sources4);
|
|
|
|
srclimit_early_expire_penalties_from_tree("ipv6",
|
|
|
|
&penalties_by_expiry6, &penalties_by_addr6, &npenalties6,
|
|
|
|
(size_t)penalty_cfg.max_sources6);
|
|
|
|
}
|
|
|
|
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
void
|
|
|
|
srclimit_penalise(struct xaddr *addr, int penalty_type)
|
|
|
|
{
|
|
|
|
struct xaddr masked;
|
2024-06-13 00:36:00 +02:00
|
|
|
struct penalty *penalty = NULL, *existing = NULL;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
time_t now;
|
2024-06-13 00:36:00 +02:00
|
|
|
int bits, penalty_secs, max_sources = 0, overflow_mode;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
char addrnetmask[NI_MAXHOST + 4];
|
2024-06-13 00:36:00 +02:00
|
|
|
const char *reason = NULL, *t;
|
|
|
|
size_t *npenaltiesp = NULL;
|
|
|
|
struct penalties_by_addr *by_addr = NULL;
|
|
|
|
struct penalties_by_expiry *by_expiry = NULL;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
|
|
|
|
if (!penalty_cfg.enabled)
|
|
|
|
return;
|
|
|
|
if (penalty_exempt != NULL) {
|
|
|
|
if (addr_ntop(addr, addrnetmask, sizeof(addrnetmask)) != 0)
|
|
|
|
return; /* shouldn't happen */
|
|
|
|
if (addr_match_list(addrnetmask, penalty_exempt) == 1) {
|
|
|
|
debug3_f("address %s is exempt", addrnetmask);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (penalty_type) {
|
|
|
|
case SRCLIMIT_PENALTY_NONE:
|
|
|
|
return;
|
|
|
|
case SRCLIMIT_PENALTY_CRASH:
|
|
|
|
penalty_secs = penalty_cfg.penalty_crash;
|
|
|
|
reason = "penalty: caused crash";
|
|
|
|
break;
|
|
|
|
case SRCLIMIT_PENALTY_AUTHFAIL:
|
|
|
|
penalty_secs = penalty_cfg.penalty_authfail;
|
|
|
|
reason = "penalty: failed authentication";
|
|
|
|
break;
|
|
|
|
case SRCLIMIT_PENALTY_NOAUTH:
|
|
|
|
penalty_secs = penalty_cfg.penalty_noauth;
|
|
|
|
reason = "penalty: connections without attempting authentication";
|
|
|
|
break;
|
|
|
|
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
|
|
|
|
penalty_secs = penalty_cfg.penalty_crash;
|
|
|
|
reason = "penalty: exceeded LoginGraceTime";
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
fatal_f("internal error: unknown penalty %d", penalty_type);
|
|
|
|
}
|
|
|
|
bits = addr->af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
|
|
if (srclimit_mask_addr(addr, bits, &masked) != 0)
|
|
|
|
return;
|
|
|
|
addr_masklen_ntop(addr, bits, addrnetmask, sizeof(addrnetmask));
|
|
|
|
|
|
|
|
now = monotime();
|
|
|
|
expire_penalties(now);
|
2024-06-13 00:36:00 +02:00
|
|
|
by_expiry = addr->af == AF_INET ?
|
|
|
|
&penalties_by_expiry4 : &penalties_by_expiry6;
|
|
|
|
by_addr = addr->af == AF_INET ?
|
|
|
|
&penalties_by_addr4 : &penalties_by_addr6;
|
|
|
|
max_sources = addr->af == AF_INET ?
|
|
|
|
penalty_cfg.max_sources4 : penalty_cfg.max_sources6;
|
|
|
|
overflow_mode = addr->af == AF_INET ?
|
|
|
|
penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6;
|
|
|
|
npenaltiesp = addr->af == AF_INET ? &npenalties4 : &npenalties6;
|
|
|
|
t = addr->af == AF_INET ? "ipv4" : "ipv6";
|
2024-06-20 02:18:05 +02:00
|
|
|
if (*npenaltiesp >= (size_t)max_sources &&
|
2024-06-13 00:36:00 +02:00
|
|
|
overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
|
|
|
|
verbose_f("%s penalty table full, cannot penalise %s for %s", t,
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
addrnetmask, reason);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
penalty = xcalloc(1, sizeof(*penalty));
|
|
|
|
penalty->addr = masked;
|
|
|
|
penalty->expiry = now + penalty_secs;
|
|
|
|
penalty->reason = reason;
|
2024-06-13 00:36:00 +02:00
|
|
|
if ((existing = RB_INSERT(penalties_by_addr, by_addr,
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
penalty)) == NULL) {
|
|
|
|
/* penalty didn't previously exist */
|
|
|
|
if (penalty_secs > penalty_cfg.penalty_min)
|
|
|
|
penalty->active = 1;
|
2024-06-13 00:36:00 +02:00
|
|
|
if (RB_INSERT(penalties_by_expiry, by_expiry, penalty) != NULL)
|
|
|
|
fatal_f("internal error: %s penalty tables corrupt", t);
|
|
|
|
verbose_f("%s: new %s %s penalty of %d seconds for %s", t,
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
addrnetmask, penalty->active ? "active" : "deferred",
|
|
|
|
penalty_secs, reason);
|
2024-06-13 00:36:00 +02:00
|
|
|
if (++(*npenaltiesp) > (size_t)max_sources)
|
|
|
|
srclimit_early_expire_penalties(); /* permissive */
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
return;
|
|
|
|
}
|
2024-06-13 00:36:00 +02:00
|
|
|
debug_f("%s penalty for %s %s already exists, %lld seconds remaining",
|
|
|
|
existing->active ? "active" : "inactive", t,
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
addrnetmask, (long long)(existing->expiry - now));
|
|
|
|
/* Expiry information is about to change, remove from tree */
|
2024-06-13 00:36:00 +02:00
|
|
|
if (RB_REMOVE(penalties_by_expiry, by_expiry, existing) != existing)
|
|
|
|
fatal_f("internal error: %s penalty table corrupt (remove)", t);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
/* An entry already existed. Accumulate penalty up to maximum */
|
|
|
|
existing->expiry += penalty_secs;
|
|
|
|
if (existing->expiry - now > penalty_cfg.penalty_max)
|
|
|
|
existing->expiry = now + penalty_cfg.penalty_max;
|
|
|
|
if (existing->expiry - now > penalty_cfg.penalty_min &&
|
|
|
|
!existing->active) {
|
2024-06-13 00:36:00 +02:00
|
|
|
verbose_f("%s: activating %s penalty of %lld seconds for %s",
|
|
|
|
addrnetmask, t, (long long)(existing->expiry - now),
|
|
|
|
reason);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
existing->active = 1;
|
|
|
|
}
|
|
|
|
existing->reason = penalty->reason;
|
|
|
|
free(penalty);
|
2024-06-13 00:36:00 +02:00
|
|
|
penalty = NULL;
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
/* Re-insert into expiry tree */
|
2024-06-13 00:36:00 +02:00
|
|
|
if (RB_INSERT(penalties_by_expiry, by_expiry, existing) != NULL)
|
|
|
|
fatal_f("internal error: %s penalty table corrupt (insert)", t);
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
}
|
|
|
|
|
2024-06-13 00:36:00 +02:00
|
|
|
static void
|
|
|
|
srclimit_penalty_info_for_tree(const char *t,
|
|
|
|
struct penalties_by_expiry *by_expiry, size_t npenalties)
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
{
|
|
|
|
struct penalty *p = NULL;
|
|
|
|
int bits;
|
|
|
|
char s[NI_MAXHOST + 4];
|
|
|
|
time_t now;
|
|
|
|
|
|
|
|
now = monotime();
|
2024-06-13 00:36:00 +02:00
|
|
|
logit("%zu active %s penalties", npenalties, t);
|
|
|
|
RB_FOREACH(p, penalties_by_expiry, by_expiry) {
|
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-06 19:15:25 +02:00
|
|
|
bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
|
|
addr_masklen_ntop(&p->addr, bits, s, sizeof(s));
|
|
|
|
if (p->expiry < now)
|
|
|
|
logit("client %s %s (expired)", s, p->reason);
|
|
|
|
else {
|
|
|
|
logit("client %s %s (%llu secs left)", s, p->reason,
|
|
|
|
(long long)(p->expiry - now));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2024-06-13 00:36:00 +02:00
|
|
|
|
|
|
|
void
|
|
|
|
srclimit_penalty_info(void)
|
|
|
|
{
|
|
|
|
srclimit_penalty_info_for_tree("ipv4",
|
|
|
|
&penalties_by_expiry4, npenalties4);
|
|
|
|
srclimit_penalty_info_for_tree("ipv6",
|
|
|
|
&penalties_by_expiry6, npenalties6);
|
|
|
|
}
|