Slash Boxes

SoylentNews is people

Submission Preview

Link to Story

OpenSSH Introduces Options to Penalize Undesirable Behavior

Accepted submission by upstart at 2024-06-10 04:47:50

████ # This file was generated bot-o-matically! Edit at your own risk. ████

OpenSSH introduces options to penalize undesirable behavior []:

In a recent commit [], Damien Miller (djm@) introduced the new sshd(8) [] configurations options, PerSourcePenalties [] and PerSourcePenaltyExemptList [], to provide a built in facility in sshd(8) [] itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads,

List: openbsd-cvs Subject: CVS: src From: Damien Miller <djm () cvs ! openbsd ! org Date: 2024-06-06 17:15:26 CVSROOT: /cvs Module name: src Changes by: 2024/06/06 11:15:26 Modified files: usr.bin/ssh : misc.c misc.h monitor.c monitor_wrap.c servconf.c servconf.h srclimit.c srclimit.h sshd-session.c sshd.c sshd_config.5 Log message: Add a facility to sshd(8) [] to penalise particular problematic client behaviours, controlled by two new sshd_config(5) [] options: PerSourcePenalties [] and PerSourcePenaltyExemptList [].

When PerSourcePenalties are enabled, sshd(8) [] will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize []CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList [] option allows certain address ranges to be exempt from all penalties. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. PerSourcePenalties is off by default, but we expect to enable it automatically in the near future. much feedback markus@ and others, ok markus@

This new facility comes in addition to the already well known and loved pf.confstate tracking options [], and is for now available only in OpenBSD []-current, but is almost certainly to be available in the upcoming OpenBSD 7.6 release.

At first we were wondering whether these options would be enabled by default before the new release. We did not have to wait long. This subsequent commit [] settled the issue:

List: openbsd-cvs Subject: CVS: src From: Damien Miller <djm () cvs ! openbsd ! org Date: 2024-06-06 20:25:48 CVSROOT: /cvs Module name: src Changes by: 2024/06/06 14:25:48 Modified files: usr.bin/ssh : servconf.c Log message: enable PerSourcePenalties by default. ok markus NB. if you run a sshd that accepts connections from behind large NAT blocks, proxies or anything else that aggregates many possible users behind few IP addresses, then this change may cause legitimate traffic to be denied. Please read the PerSourcePenalties, PerSourcePenaltyExemptList and PerSourceNetBlockSize options in sshd_config(5) for how to tune your sshd(8) for your specific circumstances.

So now we know: starting with OpenBSD 7.6, PerSourcePenalties will be enabled by default, and admins who do not themselves run PF or other network translation mechanisms will need to keep the consequences of inconsiderate NAT use in mind.

Reply []

CommentsLatest Articles


Copyright © -Daniel Hartmeier []. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original [] with Jose []'s and Jim [mailto]'s kind permission. This journal runs as CGI with httpd(8) [] on OpenBSD [], the source code [] is BSD licensed []. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]

raise-shields-and-return-fire dept.

Original Submission