From 4ad4d979befa76a8400438890fa82e99f8cc01ae Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 15 Sep 2024 01:11:26 +0000 Subject: [PATCH] Add a "refuseconnection" penalty class to sshd_config PerSourcePenalties This allows penalising connection sources that have had connections dropped by the RefuseConnection option. ok markus@ --- usr.bin/ssh/servconf.c | 14 +++++++++++--- usr.bin/ssh/servconf.h | 3 ++- usr.bin/ssh/srclimit.c | 4 ++++ usr.bin/ssh/srclimit.h | 11 ++++++----- usr.bin/ssh/sshd.c | 9 ++++++++- usr.bin/ssh/sshd_config.5 | 12 +++++++++++- 6 files changed, 42 insertions(+), 11 deletions(-) diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index e9dc37454e6..a8bd2ddc2a3 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -155,6 +155,7 @@ initialize_server_options(ServerOptions *options) options->per_source_penalty.penalty_authfail = -1; options->per_source_penalty.penalty_noauth = -1; options->per_source_penalty.penalty_grace = -1; + options->per_source_penalty.penalty_refuseconnection = -1; options->per_source_penalty.penalty_max = -1; options->per_source_penalty.penalty_min = -1; options->max_authtries = -1; @@ -408,6 +409,8 @@ fill_default_server_options(ServerOptions *options) options->per_source_penalty.penalty_authfail = 5; if (options->per_source_penalty.penalty_noauth == -1) options->per_source_penalty.penalty_noauth = 1; + if (options->per_source_penalty.penalty_refuseconnection == -1) + options->per_source_penalty.penalty_refuseconnection = 10; if (options->per_source_penalty.penalty_min == -1) options->per_source_penalty.penalty_min = 15; if (options->per_source_penalty.penalty_max == -1) @@ -1978,6 +1981,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, } else if (strncmp(arg, "grace-exceeded:", 15) == 0) { p = arg + 15; intptr = &options->per_source_penalty.penalty_grace; + } else if (strncmp(arg, "refuseconnection:", 17) == 0) { + p = arg + 17; + intptr = &options->per_source_penalty.penalty_refuseconnection; } else if (strncmp(arg, "max:", 4) == 0) { p = arg + 4; intptr = &options->per_source_penalty.penalty_max; @@ -3243,12 +3249,14 @@ dump_config(ServerOptions *o) if (o->per_source_penalty.enabled) { printf("persourcepenalties crash:%d authfail:%d noauth:%d " - "grace-exceeded:%d max:%d min:%d max-sources4:%d " - "max-sources6:%d overflow:%s overflow6:%s\n", + "grace-exceeded:%d refuseconnection: %d max:%d min:%d " + "max-sources4:%d max-sources6:%d " + "overflow:%s overflow6:%s\n", o->per_source_penalty.penalty_crash, o->per_source_penalty.penalty_authfail, o->per_source_penalty.penalty_noauth, o->per_source_penalty.penalty_grace, + o->per_source_penalty.penalty_refuseconnection, o->per_source_penalty.penalty_max, o->per_source_penalty.penalty_min, o->per_source_penalty.max_sources4, diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 69dfccfc4ca..d7066ec53de 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */ /* * Author: Tatu Ylonen @@ -77,6 +77,7 @@ struct per_source_penalty { int penalty_grace; int penalty_authfail; int penalty_noauth; + int penalty_refuseconnection; int penalty_max; int penalty_min; }; diff --git a/usr.bin/ssh/srclimit.c b/usr.bin/ssh/srclimit.c index 8157ff02896..bc747dc31c1 100644 --- a/usr.bin/ssh/srclimit.c +++ b/usr.bin/ssh/srclimit.c @@ -379,6 +379,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type) penalty_secs = penalty_cfg.penalty_noauth; reason = "penalty: connections without attempting authentication"; break; + case SRCLIMIT_PENALTY_REFUSECONNECTION: + penalty_secs = penalty_cfg.penalty_refuseconnection; + reason = "penalty: connection prohibited by RefuseConnection"; + break; case SRCLIMIT_PENALTY_GRACE_EXCEEDED: penalty_secs = penalty_cfg.penalty_crash; reason = "penalty: exceeded LoginGraceTime"; diff --git a/usr.bin/ssh/srclimit.h b/usr.bin/ssh/srclimit.h index 13164515b32..77d951ba66e 100644 --- a/usr.bin/ssh/srclimit.h +++ b/usr.bin/ssh/srclimit.h @@ -22,11 +22,12 @@ void srclimit_init(int, int, int, int, int srclimit_check_allow(int, int); void srclimit_done(int); -#define SRCLIMIT_PENALTY_NONE 0 -#define SRCLIMIT_PENALTY_CRASH 1 -#define SRCLIMIT_PENALTY_AUTHFAIL 2 -#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3 -#define SRCLIMIT_PENALTY_NOAUTH 4 +#define SRCLIMIT_PENALTY_NONE 0 +#define SRCLIMIT_PENALTY_CRASH 1 +#define SRCLIMIT_PENALTY_AUTHFAIL 2 +#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3 +#define SRCLIMIT_PENALTY_NOAUTH 4 +#define SRCLIMIT_PENALTY_REFUSECONNECTION 5 /* meaningful exit values, used by sshd listener for penalties */ #define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */ diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 74b0fa16b71..c02a7b9640c 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */ /* * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. * Copyright (c) 2002 Niels Provos. All rights reserved. @@ -360,6 +360,13 @@ child_reap(struct early_child *child) (long)child->pid, child->id, child->early ? " (early)" : ""); break; + case EXIT_CONFIG_REFUSED: + penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION; + debug_f("preauth child %ld for %s prohibited by" + "RefuseConnection %s", + (long)child->pid, child->id, + child->early ? " (early)" : ""); + break; default: penalty_type = SRCLIMIT_PENALTY_NOAUTH; debug_f("preauth child %ld for %s exited " diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 42131f6b332..7d290853da0 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $ .Dd $Mdocdate: September 15 2024 $ .Dt SSHD_CONFIG 5 .Os @@ -1598,6 +1598,11 @@ Specifies how long to refuse clients that cause a crash of .It Cm authfail:duration Specifies how long to refuse clients that disconnect after making one or more unsuccessful authentication attempts (default: 5s). +.It Cm refuseconnection:duration +Specified how long to refuse clients that were administratively prohibited +connection via the +.Cm RefuseConnection +option (default: 10s). .It Cm noauth:duration Specifies how long to refuse clients that disconnect without attempting authentication (default: 1s). @@ -1759,6 +1764,11 @@ The default is Indicates that .Xr sshd 8 should unconditionally terminate the connection. +Additionally, a +.Cm refuseconnection +penalty may be recorded against the source of the connection of +.Cm PerSourcePenalties +are enabled. This option is only really useful in a .Cm Match block. -- 2.20.1