Add a "refuseconnection" penalty class to sshd_config
authordjm <djm@openbsd.org>
Sun, 15 Sep 2024 01:11:26 +0000 (01:11 +0000)
committerdjm <djm@openbsd.org>
Sun, 15 Sep 2024 01:11:26 +0000 (01:11 +0000)
PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

usr.bin/ssh/servconf.c
usr.bin/ssh/servconf.h
usr.bin/ssh/srclimit.c
usr.bin/ssh/srclimit.h
usr.bin/ssh/sshd.c
usr.bin/ssh/sshd_config.5

index e9dc374..a8bd2dd 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -155,6 +155,7 @@ initialize_server_options(ServerOptions *options)
        options->per_source_penalty.penalty_authfail = -1;
        options->per_source_penalty.penalty_noauth = -1;
        options->per_source_penalty.penalty_grace = -1;
+       options->per_source_penalty.penalty_refuseconnection = -1;
        options->per_source_penalty.penalty_max = -1;
        options->per_source_penalty.penalty_min = -1;
        options->max_authtries = -1;
@@ -408,6 +409,8 @@ fill_default_server_options(ServerOptions *options)
                options->per_source_penalty.penalty_authfail = 5;
        if (options->per_source_penalty.penalty_noauth == -1)
                options->per_source_penalty.penalty_noauth = 1;
+       if (options->per_source_penalty.penalty_refuseconnection == -1)
+               options->per_source_penalty.penalty_refuseconnection = 10;
        if (options->per_source_penalty.penalty_min == -1)
                options->per_source_penalty.penalty_min = 15;
        if (options->per_source_penalty.penalty_max == -1)
@@ -1978,6 +1981,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                        } else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
                                p = arg + 15;
                                intptr = &options->per_source_penalty.penalty_grace;
+                       } else if (strncmp(arg, "refuseconnection:", 17) == 0) {
+                               p = arg + 17;
+                               intptr = &options->per_source_penalty.penalty_refuseconnection;
                        } else if (strncmp(arg, "max:", 4) == 0) {
                                p = arg + 4;
                                intptr = &options->per_source_penalty.penalty_max;
@@ -3243,12 +3249,14 @@ dump_config(ServerOptions *o)
 
        if (o->per_source_penalty.enabled) {
                printf("persourcepenalties crash:%d authfail:%d noauth:%d "
-                   "grace-exceeded:%d max:%d min:%d max-sources4:%d "
-                   "max-sources6:%d overflow:%s overflow6:%s\n",
+                   "grace-exceeded:%d refuseconnection: %d max:%d min:%d "
+                   "max-sources4:%d max-sources6:%d "
+                   "overflow:%s overflow6:%s\n",
                    o->per_source_penalty.penalty_crash,
                    o->per_source_penalty.penalty_authfail,
                    o->per_source_penalty.penalty_noauth,
                    o->per_source_penalty.penalty_grace,
+                   o->per_source_penalty.penalty_refuseconnection,
                    o->per_source_penalty.penalty_max,
                    o->per_source_penalty.penalty_min,
                    o->per_source_penalty.max_sources4,
index 69dfccf..d7066ec 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -77,6 +77,7 @@ struct per_source_penalty {
        int     penalty_grace;
        int     penalty_authfail;
        int     penalty_noauth;
+       int     penalty_refuseconnection;
        int     penalty_max;
        int     penalty_min;
 };
index 8157ff0..bc747dc 100644 (file)
@@ -379,6 +379,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
                penalty_secs = penalty_cfg.penalty_noauth;
                reason = "penalty: connections without attempting authentication";
                break;
+       case SRCLIMIT_PENALTY_REFUSECONNECTION:
+               penalty_secs = penalty_cfg.penalty_refuseconnection;
+               reason = "penalty: connection prohibited by RefuseConnection";
+               break;
        case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
                penalty_secs = penalty_cfg.penalty_crash;
                reason = "penalty: exceeded LoginGraceTime";
index 1316451..77d951b 100644 (file)
@@ -22,11 +22,12 @@ void        srclimit_init(int, int, int, int,
 int    srclimit_check_allow(int, int);
 void   srclimit_done(int);
 
-#define SRCLIMIT_PENALTY_NONE          0
-#define SRCLIMIT_PENALTY_CRASH         1
-#define SRCLIMIT_PENALTY_AUTHFAIL      2
-#define SRCLIMIT_PENALTY_GRACE_EXCEEDED        3
-#define SRCLIMIT_PENALTY_NOAUTH                4
+#define SRCLIMIT_PENALTY_NONE                  0
+#define SRCLIMIT_PENALTY_CRASH                 1
+#define SRCLIMIT_PENALTY_AUTHFAIL              2
+#define SRCLIMIT_PENALTY_GRACE_EXCEEDED                3
+#define SRCLIMIT_PENALTY_NOAUTH                        4
+#define SRCLIMIT_PENALTY_REFUSECONNECTION      5
 
 /* meaningful exit values, used by sshd listener for penalties */
 #define EXIT_LOGIN_GRACE       3       /* login grace period exceeded */
index 74b0fa1..c02a7b9 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  * Copyright (c) 2002 Niels Provos.  All rights reserved.
@@ -360,6 +360,13 @@ child_reap(struct early_child *child)
                            (long)child->pid, child->id,
                            child->early ? " (early)" : "");
                        break;
+               case EXIT_CONFIG_REFUSED:
+                       penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
+                       debug_f("preauth child %ld for %s prohibited by"
+                           "RefuseConnection %s",
+                           (long)child->pid, child->id,
+                           child->early ? " (early)" : "");
+                       break;
                default:
                        penalty_type = SRCLIMIT_PENALTY_NOAUTH;
                        debug_f("preauth child %ld for %s exited "
index 42131f6..7d29085 100644 (file)
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
 .Dd $Mdocdate: September 15 2024 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -1598,6 +1598,11 @@ Specifies how long to refuse clients that cause a crash of
 .It Cm authfail:duration
 Specifies how long to refuse clients that disconnect after making one or more
 unsuccessful authentication attempts (default: 5s).
+.It Cm refuseconnection:duration
+Specified how long to refuse clients that were administratively prohibited
+connection via the
+.Cm RefuseConnection
+option (default: 10s).
 .It Cm noauth:duration
 Specifies how long to refuse clients that disconnect without attempting
 authentication (default: 1s).
@@ -1759,6 +1764,11 @@ The default is
 Indicates that
 .Xr sshd 8
 should unconditionally terminate the connection.
+Additionally, a
+.Cm refuseconnection
+penalty may be recorded against the source of the connection of
+.Cm PerSourcePenalties
+are enabled.
 This option is only really useful in a
 .Cm Match
 block.