mirror of
https://git.FreeBSD.org/ports.git
synced 2024-11-18 00:10:04 +00:00
7db4f457f6
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via running the system out of resources. In reality, this wouldn't be a full DoS, but would make a system slower, but this is a better thing to do than let the system get loaded down. So here we are, rate-limiting. The default settings are now: Five connections are allowed to authenticate (and not be rejected) in a period of ten seconds. One minute is given for login grace time. More work in this area is being done by alfred@FreeBSD.org and markus@OpenBSD.org, at the very least. This is, essentially, a stopgap solution; however, it is a properly implemented and documented one, and has an easily modifiable framework.
47 lines
1.3 KiB
Plaintext
47 lines
1.3 KiB
Plaintext
--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.8 Tue Nov 23 18:58:38 1999
|
|
+++ sshd.8 Sun Dec 5 22:59:58 1999
|
|
@@ -220,6 +220,31 @@
|
|
should check for new mail for interactive logins.
|
|
The default is
|
|
.Dq no .
|
|
+.It Cm ConnectionsPerPeriod
|
|
+This keyword allows for rate-limiting of connections, and
|
|
+is followed by two numbers in the format
|
|
+.Dq n/s ,
|
|
+where
|
|
+.Ar n
|
|
+is the number of connections from a certain address group
|
|
+accepted per period of
|
|
+.Ar s
|
|
+seconds. Any connection after the number
|
|
+.Ar n
|
|
+connection in the period of
|
|
+.Ar s
|
|
+seconds will be dropped, and an informational message will be logged.
|
|
+A connection will belong to a certain group, of which there are 13
|
|
+by default, according to its IP address.
|
|
+The default for this keyword is
|
|
+.Dq 0/0 ,
|
|
+and rate-limiting can be explicitly turned off by using an
|
|
+.Ar n
|
|
+parameter of
|
|
+.Ql 0
|
|
+and any
|
|
+.Ar s
|
|
+parameter.
|
|
.It Cm DenyGroups
|
|
This keyword can be followed by a number of group names, separated
|
|
by spaces. Users whose primary group matches one of the patterns
|
|
@@ -453,8 +478,9 @@
|
|
If the login is on a tty, records login time.
|
|
.It
|
|
Checks
|
|
-.Pa /etc/nologin ;
|
|
-if it exists, prints contents and quits
|
|
+.Pa /etc/nologin and
|
|
+.Pa /var/run/nologin ;
|
|
+if one exists, it prints the contents and quits
|
|
(unless root).
|
|
.It
|
|
Changes to run with normal user privileges.
|