Re: [PATCH] Introduce extra delay before closing unauthenticated sessions

2021-01-26 Thread Hans Harder 
The change is also by putting a delay in the connection close it is
going to work against you.
Suppose this happens constantly, will you be able to make a valid connection ?

I use a different approach, allow only a fix src ip access and drop
any other connection.
You can do that with iptables, so dropbear gets only connection
request from valid ip's

Hans

On Tue, Jan 26, 2021 at 11:38 AM Thomas De Schampheleire
 wrote:
>
> Hi Matt,
>
> El dom, 24 ene 2021 a las 14:30, Matt Johnston () escribió:
> >
> > On Wed 20/1/2021, at 8:15 pm, Thomas De Schampheleire 
> >  wrote:
> > >
> > >> # HG changeset patch
> > >> Introduce extra delay before closing unauthenticated sessions
> > >
> > > Any comments on this patch?
> > >
> >
> > Hi Thomas,
> >
> > Sorry for the delay getting back to you. I've applied the patch, it seems 
> > like it could be good as a simple brute force countermeasure. I'm sure a 
> > lot of the SSH bots are using varying source IPs from botnets etc, but 
> > there doesn't seem much harm in an extra delay.
>
> For batch login attempts from multiple IPs, there are already some
> existing options:
>
> /* Specify the number of clients we will allow to be connected but
>  * not yet authenticated. After this limit, connections are rejected */
> /* The first setting is per-IP, to avoid denial of service */
> #define MAX_UNAUTH_PER_IP 5
>
> /* And then a global limit to avoid chewing memory if connections
>  * come from many IPs */
> #define MAX_UNAUTH_CLIENTS 30
>
> So per IP, you have only 5 simultaneous attempts. Globally there is a
> max of 30, meaning 6 clients can attempt 5 simultaneous attempts.
> With the new extra delay, this means that these 30 connection slots
> will be held for 30 seconds, which should reduce the effectiveness of
> an attack greatly.
> It does mean that legitimate attempts may also be blocked for a while,
> but I think this basically already happens today although that block
> is shorter.
> Would you agree?
>
> >
> > I'll add an option to disable it at runtime just in case it ends up causing 
> > problems (resource usage of waiting connections would be my concern).
>
> Sure, thanks.
>
> Best regards,
> Thomas

Re: [PATCH] Introduce extra delay before closing unauthenticated sessions

2021-01-26 Thread Thomas De Schampheleire 
Hi Matt,

El dom, 24 ene 2021 a las 14:30, Matt Johnston () escribió:
>
> On Wed 20/1/2021, at 8:15 pm, Thomas De Schampheleire 
>  wrote:
> >
> >> # HG changeset patch
> >> Introduce extra delay before closing unauthenticated sessions
> >
> > Any comments on this patch?
> >
>
> Hi Thomas,
>
> Sorry for the delay getting back to you. I've applied the patch, it seems 
> like it could be good as a simple brute force countermeasure. I'm sure a lot 
> of the SSH bots are using varying source IPs from botnets etc, but there 
> doesn't seem much harm in an extra delay.

For batch login attempts from multiple IPs, there are already some
existing options:

/* Specify the number of clients we will allow to be connected but
 * not yet authenticated. After this limit, connections are rejected */
/* The first setting is per-IP, to avoid denial of service */
#define MAX_UNAUTH_PER_IP 5

/* And then a global limit to avoid chewing memory if connections
 * come from many IPs */
#define MAX_UNAUTH_CLIENTS 30

So per IP, you have only 5 simultaneous attempts. Globally there is a
max of 30, meaning 6 clients can attempt 5 simultaneous attempts.
With the new extra delay, this means that these 30 connection slots
will be held for 30 seconds, which should reduce the effectiveness of
an attack greatly.
It does mean that legitimate attempts may also be blocked for a while,
but I think this basically already happens today although that block
is shorter.
Would you agree?

>
> I'll add an option to disable it at runtime just in case it ends up causing 
> problems (resource usage of waiting connections would be my concern).

Sure, thanks.

Best regards,
Thomas

Re: [PATCH] Introduce extra delay before closing unauthenticated sessions

2021-01-24 Thread Matt Johnston 
On Wed 20/1/2021, at 8:15 pm, Thomas De Schampheleire 
 wrote:
> 
>> # HG changeset patch
>> Introduce extra delay before closing unauthenticated sessions
> 
> Any comments on this patch?
> 

Hi Thomas,

Sorry for the delay getting back to you. I've applied the patch, it seems like 
it could be good as a simple brute force countermeasure. I'm sure a lot of the 
SSH bots are using varying source IPs from botnets etc, but there doesn't seem 
much harm in an extra delay.

I'll add an option to disable it at runtime just in case it ends up causing 
problems (resource usage of waiting connections would be my concern).

Thanks,
Matt

Re: [PATCH] Introduce extra delay before closing unauthenticated sessions

2021-01-20 Thread Thomas De Schampheleire 
Hello,

El mar, 22 dic 2020 a las 15:52, Thomas De Schampheleire
() escribió:
>
> # HG changeset patch
> # User Thomas De Schampheleire 
> # Date 1487163184 -3600
> #  Wed Feb 15 13:53:04 2017 +0100
> # Node ID ef434ebf63f7a935e9530bb2cd2e8d0463a5217a
> # Parent  249681d9ecda383b7241b3cc360884093015dede
> Introduce extra delay before closing unauthenticated sessions
>
> To make it harder for attackers, introduce a delay to keep an
> unauthenticated session open a bit longer, thus blocking a connection
> slot until after the delay.
>
> Without this, while there is a limit on the amount of attempts an attacker
> can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
> handle one attempt is still short and thus for each of the allowed parallel
> attempts many attempts can be chained one after the other. The attempt rate
> is then:
> "MAX_UNAUTH_PER_IP / ".
>
> With the delay, this rate becomes:
> "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
>
> diff --git a/default_options.h b/default_options.h
> --- a/default_options.h
> +++ b/default_options.h
> @@ -256,6 +256,9 @@ Homedir is prepended unless path begins
>  /* -T server option overrides */
>  #define MAX_AUTH_TRIES 10
>
> +/* Delay introduced before closing an unauthenticated session (seconds) */
> +#define UNAUTH_CLOSE_DELAY 30
> +
>  /* The default file to store the daemon's process ID, for shutdown
> scripts etc. This can be overridden with the -P flag */
>  #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
> diff --git a/svr-session.c b/svr-session.c
> --- a/svr-session.c
> +++ b/svr-session.c
> @@ -215,6 +215,7 @@ void svr_dropbear_exit(int exitcode, con
> char fullmsg[300];
> char fromaddr[60];
> int i;
> +   int add_delay = 0;
>
>  #if DROPBEAR_PLUGIN
>  if ((ses.plugin_session != NULL)) {
> @@ -247,13 +248,33 @@ void svr_dropbear_exit(int exitcode, con
> snprintf(fullmsg, sizeof(fullmsg),
> "Exit before auth%s: (user '%s', %u fails): 
> %s",
> fromaddr, ses.authstate.pw_name, 
> ses.authstate.failcount, exitmsg);
> +   add_delay = 1;
> } else {
> /* before userauth */
> snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", 
> fromaddr, exitmsg);
> +   add_delay = 1;
> }
>
> dropbear_log(LOG_INFO, "%s", fullmsg);
>
> +   /* To make it harder for attackers, introduce a delay to keep an
> +* unauthenticated session open a bit longer, thus blocking a 
> connection
> +* slot until after the delay. Without this, while there is a limit on
> +* the amount of attempts an attacker can make at the same time
> +* (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one 
> attempt
> +* is still short and thus for each of the allowed parallel attempts
> +* many attempts can be chained one after the other. The attempt rate 
> is
> +* then:
> +* "MAX_UNAUTH_PER_IP / ".
> +* With the delay, this rate becomes:
> +* "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
> +*/
> +   if ((add_delay != 0) && (UNAUTH_CLOSE_DELAY > 0)) {
> +   TRACE(("svr_dropbear_exit: start delay of %d seconds", 
> UNAUTH_CLOSE_DELAY));
> +   sleep(UNAUTH_CLOSE_DELAY);
> +   TRACE(("svr_dropbear_exit: end delay of %d seconds", 
> UNAUTH_CLOSE_DELAY));
> +   }
> +
>  #if DROPBEAR_VFORK
> /* For uclinux only the main server process should cleanup - we don't 
> want
>  * forked children doing that */
>

Any comments on this patch?

Thanks,
Thomas

[PATCH] Introduce extra delay before closing unauthenticated sessions

2020-12-22 Thread Thomas De Schampheleire 
# HG changeset patch
# User Thomas De Schampheleire 
# Date 1487163184 -3600
#  Wed Feb 15 13:53:04 2017 +0100
# Node ID ef434ebf63f7a935e9530bb2cd2e8d0463a5217a
# Parent  249681d9ecda383b7241b3cc360884093015dede
Introduce extra delay before closing unauthenticated sessions

To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.

Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / ".

With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".

diff --git a/default_options.h b/default_options.h
--- a/default_options.h
+++ b/default_options.h
@@ -256,6 +256,9 @@ Homedir is prepended unless path begins 
 /* -T server option overrides */
 #define MAX_AUTH_TRIES 10
 
+/* Delay introduced before closing an unauthenticated session (seconds) */
+#define UNAUTH_CLOSE_DELAY 30
+
 /* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */
 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
diff --git a/svr-session.c b/svr-session.c
--- a/svr-session.c
+++ b/svr-session.c
@@ -215,6 +215,7 @@ void svr_dropbear_exit(int exitcode, con
char fullmsg[300];
char fromaddr[60];
int i;
+   int add_delay = 0;
 
 #if DROPBEAR_PLUGIN
 if ((ses.plugin_session != NULL)) {
@@ -247,13 +248,33 @@ void svr_dropbear_exit(int exitcode, con
snprintf(fullmsg, sizeof(fullmsg), 
"Exit before auth%s: (user '%s', %u fails): %s",
fromaddr, ses.authstate.pw_name, 
ses.authstate.failcount, exitmsg);
+   add_delay = 1;
} else {
/* before userauth */
snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", 
fromaddr, exitmsg);
+   add_delay = 1;
}
 
dropbear_log(LOG_INFO, "%s", fullmsg);
 
+   /* To make it harder for attackers, introduce a delay to keep an
+* unauthenticated session open a bit longer, thus blocking a connection
+* slot until after the delay. Without this, while there is a limit on
+* the amount of attempts an attacker can make at the same time
+* (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt
+* is still short and thus for each of the allowed parallel attempts
+* many attempts can be chained one after the other. The attempt rate is
+* then:
+* "MAX_UNAUTH_PER_IP / ".
+* With the delay, this rate becomes:
+* "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
+*/
+   if ((add_delay != 0) && (UNAUTH_CLOSE_DELAY > 0)) {
+   TRACE(("svr_dropbear_exit: start delay of %d seconds", 
UNAUTH_CLOSE_DELAY));
+   sleep(UNAUTH_CLOSE_DELAY);
+   TRACE(("svr_dropbear_exit: end delay of %d seconds", 
UNAUTH_CLOSE_DELAY));
+   }
+
 #if DROPBEAR_VFORK
/* For uclinux only the main server process should cleanup - we don't 
want
 * forked children doing that */