freebsd-ports/security/openssh/files/patch-ar

--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.8	Tue Nov 23 18:58:38 1999
+++ sshd.8	Sun Dec  5 22:59:58 1999
@@ -220,6 +220,31 @@
 should check for new mail for interactive logins.
 The default is
 .Dq no .
+.It Cm ConnectionsPerPeriod
+This keyword allows for rate-limiting of connections, and
+is followed by two numbers in the format
+.Dq n/s ,
+where
+.Ar n
+is the number of connections from a certain address group
+accepted per period of
+.Ar s
+seconds.  Any connection after the number
+.Ar n
+connection in the period of
+.Ar s
+seconds will be dropped, and an informational message will be logged.
+A connection will belong to a certain group, of which there are 13
+by default, according to its IP address.
+The default for this keyword is
+.Dq 0/0 ,
+and rate-limiting can be explicitly turned off by using an
+.Ar n
+parameter of
+.Ql 0
+and any
+.Ar s
+parameter.
 .It Cm DenyGroups
 This keyword can be followed by a number of group names, separated
 by spaces.  Users whose primary group matches one of the patterns
@@ -453,8 +478,9 @@
 If the login is on a tty, records login time.
 .It
 Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
 (unless root).
 .It
 Changes to run with normal user privileges.
In the meantime (while things are being worked and decided on on the OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via running the system out of resources. In reality, this wouldn't be a full DoS, but would make a system slower, but this is a better thing to do than let the system get loaded down. So here we are, rate-limiting. The default settings are now: Five connections are allowed to authenticate (and not be rejected) in a period of ten seconds. One minute is given for login grace time. More work in this area is being done by alfred@FreeBSD.org and markus@OpenBSD.org, at the very least. This is, essentially, a stopgap solution; however, it is a properly implemented and documented one, and has an easily modifiable framework. 1999-12-06 06:32:22 +00:00			`--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.8 Tue Nov 23 18:58:38 1999`
			`+++ sshd.8 Sun Dec 5 22:59:58 1999`
			`@@ -220,6 +220,31 @@`
			`should check for new mail for interactive logins.`
			`The default is`
			`.Dq no .`
			`+.It Cm ConnectionsPerPeriod`
			`+This keyword allows for rate-limiting of connections, and`
			`+is followed by two numbers in the format`
			`+.Dq n/s ,`
			`+where`
			`+.Ar n`
			`+is the number of connections from a certain address group`
			`+accepted per period of`
			`+.Ar s`
			`+seconds. Any connection after the number`
			`+.Ar n`
			`+connection in the period of`
			`+.Ar s`
			`+seconds will be dropped, and an informational message will be logged.`
			`+A connection will belong to a certain group, of which there are 13`
			`+by default, according to its IP address.`
			`+The default for this keyword is`
			`+.Dq 0/0 ,`
			`+and rate-limiting can be explicitly turned off by using an`
			`+.Ar n`
			`+parameter of`
			`+.Ql 0`
			`+and any`
			`+.Ar s`
			`+parameter.`
			`.It Cm DenyGroups`
			`This keyword can be followed by a number of group names, separated`
			`by spaces. Users whose primary group matches one of the patterns`
			`@@ -453,8 +478,9 @@`
			`If the login is on a tty, records login time.`
			`.It`
			`Checks`
			`-.Pa /etc/nologin ;`
			`-if it exists, prints contents and quits`
			`+.Pa /etc/nologin and`
			`+.Pa /var/run/nologin ;`
			`+if one exists, it prints the contents and quits`
			`(unless root).`
			`.It`
			`Changes to run with normal user privileges.`