Hello, El mar, 22 dic 2020 a las 15:52, Thomas De Schampheleire (<patrickdeping...@gmail.com>) escribió: > > # HG changeset patch > # User Thomas De Schampheleire <thomas.de_schamphele...@nokia.com> > # Date 1487163184 -3600 > # Wed Feb 15 13:53:04 2017 +0100 > # Node ID ef434ebf63f7a935e9530bb2cd2e8d0463a5217a > # Parent 249681d9ecda383b7241b3cc360884093015dede > Introduce extra delay before closing unauthenticated sessions > > To make it harder for attackers, introduce a delay to keep an > unauthenticated session open a bit longer, thus blocking a connection > slot until after the delay. > > Without this, while there is a limit on the amount of attempts an attacker > can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to > handle one attempt is still short and thus for each of the allowed parallel > attempts many attempts can be chained one after the other. The attempt rate > is then: > "MAX_UNAUTH_PER_IP / <process time of one attempt>". > > With the delay, this rate becomes: > "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY". > > diff --git a/default_options.h b/default_options.h > --- a/default_options.h > +++ b/default_options.h > @@ -256,6 +256,9 @@ Homedir is prepended unless path begins > /* -T server option overrides */ > #define MAX_AUTH_TRIES 10 > > +/* Delay introduced before closing an unauthenticated session (seconds) */ > +#define UNAUTH_CLOSE_DELAY 30 > + > /* The default file to store the daemon's process ID, for shutdown > scripts etc. This can be overridden with the -P flag */ > #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" > diff --git a/svr-session.c b/svr-session.c > --- a/svr-session.c > +++ b/svr-session.c > @@ -215,6 +215,7 @@ void svr_dropbear_exit(int exitcode, con > char fullmsg[300]; > char fromaddr[60]; > int i; > + int add_delay = 0; > > #if DROPBEAR_PLUGIN > if ((ses.plugin_session != NULL)) { > @@ -247,13 +248,33 @@ void svr_dropbear_exit(int exitcode, con > snprintf(fullmsg, sizeof(fullmsg), > "Exit before auth%s: (user '%s', %u fails): > %s", > fromaddr, ses.authstate.pw_name, > ses.authstate.failcount, exitmsg); > + add_delay = 1; > } else { > /* before userauth */ > snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", > fromaddr, exitmsg); > + add_delay = 1; > } > > dropbear_log(LOG_INFO, "%s", fullmsg); > > + /* To make it harder for attackers, introduce a delay to keep an > + * unauthenticated session open a bit longer, thus blocking a > connection > + * slot until after the delay. Without this, while there is a limit on > + * the amount of attempts an attacker can make at the same time > + * (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one > attempt > + * is still short and thus for each of the allowed parallel attempts > + * many attempts can be chained one after the other. The attempt rate > is > + * then: > + * "MAX_UNAUTH_PER_IP / <process time of one attempt>". > + * With the delay, this rate becomes: > + * "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY". > + */ > + if ((add_delay != 0) && (UNAUTH_CLOSE_DELAY > 0)) { > + TRACE(("svr_dropbear_exit: start delay of %d seconds", > UNAUTH_CLOSE_DELAY)); > + sleep(UNAUTH_CLOSE_DELAY); > + TRACE(("svr_dropbear_exit: end delay of %d seconds", > UNAUTH_CLOSE_DELAY)); > + } > + > #if DROPBEAR_VFORK > /* For uclinux only the main server process should cleanup - we don't > want > * forked children doing that */ >
Any comments on this patch? Thanks, Thomas