mirror of
https://git.FreeBSD.org/ports.git
synced 2024-11-17 00:00:40 +00:00
7db4f457f6
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via running the system out of resources. In reality, this wouldn't be a full DoS, but would make a system slower, but this is a better thing to do than let the system get loaded down. So here we are, rate-limiting. The default settings are now: Five connections are allowed to authenticate (and not be rejected) in a period of ten seconds. One minute is given for login grace time. More work in this area is being done by alfred@FreeBSD.org and markus@OpenBSD.org, at the very least. This is, essentially, a stopgap solution; however, it is a properly implemented and documented one, and has an easily modifiable framework.
139 lines
4.2 KiB
Plaintext
139 lines
4.2 KiB
Plaintext
--- servconf.c.orig Sun Dec 5 01:48:12 1999
|
|
+++ servconf.c Sun Dec 5 01:57:57 1999
|
|
@@ -63,6 +63,8 @@
|
|
options->num_deny_users = 0;
|
|
options->num_allow_groups = 0;
|
|
options->num_deny_groups = 0;
|
|
+ options->connections_per_period = 0;
|
|
+ options->connections_period = 0;
|
|
}
|
|
|
|
void
|
|
@@ -161,7 +163,7 @@
|
|
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
|
|
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
|
|
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
|
- sIgnoreUserKnownHosts
|
|
+ sIgnoreUserKnownHosts, sConnectionsPerPeriod
|
|
} ServerOpCodes;
|
|
|
|
/* Textual representation of the tokens. */
|
|
@@ -209,6 +211,7 @@
|
|
{ "denyusers", sDenyUsers },
|
|
{ "allowgroups", sAllowGroups },
|
|
{ "denygroups", sDenyGroups },
|
|
+ { "connectionsperperiod", sConnectionsPerPeriod },
|
|
{ NULL, 0 }
|
|
};
|
|
|
|
@@ -270,7 +273,11 @@
|
|
filename, linenum);
|
|
exit(1);
|
|
}
|
|
- value = atoi(cp);
|
|
+ if (sscanf(cp, " %d ", &value) != 1) {
|
|
+ fprintf(stderr, "%s line %d: invalid integer value.\n",
|
|
+ filename, linenum);
|
|
+ exit(1);
|
|
+ }
|
|
if (*intptr == -1)
|
|
*intptr = value;
|
|
break;
|
|
@@ -466,63 +473,65 @@
|
|
|
|
case sAllowUsers:
|
|
while ((cp = strtok(NULL, WHITESPACE))) {
|
|
- if (options->num_allow_users >= MAX_ALLOW_USERS) {
|
|
- fprintf(stderr, "%s line %d: too many allow users.\n",
|
|
- filename, linenum);
|
|
- exit(1);
|
|
- }
|
|
+ if (options->num_allow_users >= MAX_ALLOW_USERS)
|
|
+ fatal("%.200s line %d: too many allow users.\n", filename,
|
|
+ linenum);
|
|
options->allow_users[options->num_allow_users++] = xstrdup(cp);
|
|
}
|
|
break;
|
|
|
|
case sDenyUsers:
|
|
while ((cp = strtok(NULL, WHITESPACE))) {
|
|
- if (options->num_deny_users >= MAX_DENY_USERS) {
|
|
- fprintf(stderr, "%s line %d: too many deny users.\n",
|
|
- filename, linenum);
|
|
- exit(1);
|
|
- }
|
|
+ if (options->num_deny_users >= MAX_DENY_USERS)
|
|
+ fatal("%.200s line %d: too many deny users.\n", filename,
|
|
+ linenum);
|
|
options->deny_users[options->num_deny_users++] = xstrdup(cp);
|
|
}
|
|
break;
|
|
|
|
case sAllowGroups:
|
|
while ((cp = strtok(NULL, WHITESPACE))) {
|
|
- if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
|
|
- fprintf(stderr, "%s line %d: too many allow groups.\n",
|
|
- filename, linenum);
|
|
- exit(1);
|
|
- }
|
|
+ if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
|
|
+ fatal("%.200s line %d: too many allow groups.\n", filename,
|
|
+ linenum);
|
|
options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
|
|
}
|
|
break;
|
|
|
|
case sDenyGroups:
|
|
while ((cp = strtok(NULL, WHITESPACE))) {
|
|
- if (options->num_deny_groups >= MAX_DENY_GROUPS) {
|
|
- fprintf(stderr, "%s line %d: too many deny groups.\n",
|
|
- filename, linenum);
|
|
- exit(1);
|
|
- }
|
|
+ if (options->num_deny_groups >= MAX_DENY_GROUPS)
|
|
+ fatal("%.200s line %d: too many deny groups.\n", filename,
|
|
+ linenum);
|
|
options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
|
|
}
|
|
break;
|
|
|
|
+ case sConnectionsPerPeriod:
|
|
+ cp = strtok(NULL, WHITESPACE);
|
|
+ if (cp == NULL)
|
|
+ fatal("%.200s line %d: missing (>= 0) number argument.\n",
|
|
+ filename, linenum);
|
|
+ if (sscanf(cp, " %u/%u ", &options->connections_per_period,
|
|
+ &options->connections_period) != 2)
|
|
+ fatal("%.200s line %d: invalid numerical argument(s).\n",
|
|
+ filename, linenum);
|
|
+ if (options->connections_per_period != 0 &&
|
|
+ options->connections_period == 0)
|
|
+ fatal("%.200s line %d: invalid connections period.\n",
|
|
+ filename, linenum);
|
|
+ break;
|
|
+
|
|
default:
|
|
- fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
|
|
+ fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
|
|
filename, linenum, cp, opcode);
|
|
- exit(1);
|
|
- }
|
|
- if (strtok(NULL, WHITESPACE) != NULL) {
|
|
- fprintf(stderr, "%s line %d: garbage at end of line.\n",
|
|
- filename, linenum);
|
|
- exit(1);
|
|
}
|
|
+ if (strtok(NULL, WHITESPACE) != NULL)
|
|
+ fatal("%.200s line %d: garbage at end of line.\n", filename,
|
|
+ linenum);
|
|
}
|
|
fclose(f);
|
|
- if (bad_options > 0) {
|
|
- fprintf(stderr, "%s: terminating, %d bad configuration options\n",
|
|
+ if (bad_options > 0)
|
|
+ fatal("%.200s: terminating, %d bad configuration options\n",
|
|
filename, bad_options);
|
|
- exit(1);
|
|
- }
|
|
}
|