2000-05-13 17:11:01 +00:00
|
|
|
--- sshd.c.orig Wed May 3 19:21:49 2000
|
|
|
|
|
+++ sshd.c Fri May 12 07:11:43 2000
|
|
|
|
|
@@ -49,6 +49,13 @@
|
1999-11-24 03:36:23 +00:00
|
|
|
int deny_severity = LOG_WARNING;
|
|
|
|
|
#endif /* LIBWRAP */
|
|
|
|
|
|
|
|
|
|
+#ifdef __FreeBSD__
|
|
|
|
|
+#include <libutil.h>
|
2000-04-20 22:24:19 +00:00
|
|
|
+#include <poll.h>
|
1999-11-24 03:36:23 +00:00
|
|
|
+#include <syslog.h>
|
2000-04-20 22:24:19 +00:00
|
|
|
+#include <time.h>
|
1999-11-24 03:36:23 +00:00
|
|
|
+#endif /* __FreeBSD__ */
|
|
|
|
|
+
|
|
|
|
|
#ifndef O_NOCTTY
|
|
|
|
|
#define O_NOCTTY 0
|
|
|
|
|
#endif
|
2000-05-13 17:11:01 +00:00
|
|
|
@@ -134,6 +141,32 @@
|
|
|
|
|
unsigned char *session_id2 = NULL;
|
|
|
|
|
int session_id2_len = 0;
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
|
|
|
|
|
+/* These are used to implement connections_per_period. */
|
|
|
|
|
+struct magic_connection {
|
|
|
|
|
+ struct timeval connections_begin;
|
|
|
|
|
+ unsigned int connections_this_period;
|
|
|
|
|
+} *magic_connections;
|
|
|
|
|
+/* Magic number, too! TODO: this doesn't have to be static. */
|
|
|
|
|
+const size_t MAGIC_CONNECTIONS_SIZE = 1;
|
|
|
|
|
+
|
|
|
|
|
+static __inline int
|
2000-02-25 05:35:33 +00:00
|
|
|
+magic_hash(struct sockaddr_storage *sa) {
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
+
|
|
|
|
|
+ return 0;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static __inline struct timeval
|
|
|
|
|
+timevaldiff(struct timeval *tv1, struct timeval *tv2) {
|
|
|
|
|
+ struct timeval diff;
|
|
|
|
|
+ int carry;
|
|
|
|
|
+
|
|
|
|
|
+ carry = tv1->tv_usec > tv2->tv_usec;
|
|
|
|
|
+ diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1);
|
|
|
|
|
+ diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0);
|
|
|
|
|
+
|
|
|
|
|
+ return diff;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
/* Prototypes for various functions defined later in this file. */
|
2000-04-20 22:24:19 +00:00
|
|
|
void do_ssh1_kex();
|
|
|
|
|
void do_ssh2_kex();
|
2000-05-13 17:11:01 +00:00
|
|
|
@@ -418,6 +451,7 @@
|
2000-04-20 22:24:19 +00:00
|
|
|
int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;
|
|
|
|
|
pid_t pid;
|
2000-01-13 23:22:17 +00:00
|
|
|
socklen_t fromlen;
|
2000-05-13 17:11:01 +00:00
|
|
|
+ int connections_per_period_exceeded = 0;
|
|
|
|
|
int silent = 0;
|
2000-01-13 23:22:17 +00:00
|
|
|
fd_set *fdset;
|
2000-04-20 22:24:19 +00:00
|
|
|
struct sockaddr_storage from;
|
2000-05-13 17:11:01 +00:00
|
|
|
@@ -763,6 +797,12 @@
|
2000-04-20 22:24:19 +00:00
|
|
|
fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
|
|
|
|
|
fdset = (fd_set *)xmalloc(fdsetsz);
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
|
|
|
|
|
+ /* Initialize the magic_connections table. It's magical! */
|
|
|
|
|
+ magic_connections = calloc(MAGIC_CONNECTIONS_SIZE,
|
|
|
|
|
+ sizeof(struct magic_connection));
|
|
|
|
|
+ if (magic_connections == NULL)
|
|
|
|
|
+ fatal("calloc: %s", strerror(errno));
|
|
|
|
|
+
|
|
|
|
|
/*
|
|
|
|
|
* Stay listening for connections until the system crashes or
|
|
|
|
|
* the daemon is killed with a signal.
|
2000-05-13 17:11:01 +00:00
|
|
|
@@ -794,9 +834,31 @@
|
2000-01-13 23:22:17 +00:00
|
|
|
error("newsock del O_NONBLOCK: %s", strerror(errno));
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
+ if (options.connections_per_period != 0) {
|
|
|
|
|
+ struct timeval diff, connections_end;
|
|
|
|
|
+ struct magic_connection *mc;
|
|
|
|
|
+
|
|
|
|
|
+ (void)gettimeofday(&connections_end, NULL);
|
2000-02-25 05:35:33 +00:00
|
|
|
+ mc = &magic_connections[magic_hash(&from)];
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
+ diff = timevaldiff(&mc->connections_begin, &connections_end);
|
|
|
|
|
+ if (diff.tv_sec >= options.connections_period) {
|
|
|
|
|
+ /*
|
|
|
|
|
+ * Slide the window forward only after completely
|
|
|
|
|
+ * leaving it.
|
|
|
|
|
+ */
|
|
|
|
|
+ mc->connections_begin = connections_end;
|
|
|
|
|
+ mc->connections_this_period = 1;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if (++mc->connections_this_period >
|
|
|
|
|
+ options.connections_per_period)
|
|
|
|
|
+ connections_per_period_exceeded = 1;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
/*
|
|
|
|
|
- * Got connection. Fork a child to handle it, unless
|
|
|
|
|
- * we are in debugging mode.
|
|
|
|
|
+ * Got connection. Fork a child to handle it unless
|
|
|
|
|
+ * we are in debugging mode or the maximum number of
|
|
|
|
|
+ * connections per period has been exceeded.
|
|
|
|
|
*/
|
|
|
|
|
if (debug_flag) {
|
|
|
|
|
/*
|
2000-05-13 17:11:01 +00:00
|
|
|
@@ -810,6 +872,12 @@
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
sock_out = newsock;
|
|
|
|
|
pid = getpid();
|
|
|
|
|
break;
|
|
|
|
|
+ } else if (connections_per_period_exceeded) {
|
|
|
|
|
+ log("Connection rate limit of %u/%us has been exceeded; "
|
|
|
|
|
+ "dropping connection from %s.",
|
|
|
|
|
+ options.connections_per_period, options.connections_period,
|
2000-01-13 23:22:17 +00:00
|
|
|
+ ntop);
|
In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
|
|
|
+ connections_per_period_exceeded = 0;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* Normal production daemon. Fork, and have
|
