mirror of
https://github.com/openssh/openssh-portable.git
synced 2026-01-12 00:04:08 +08:00
49480f1934
applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such sources for longer if desired. with & ok djm@ OpenBSD-Commit-ID: bb62797bcf2adceb96f608ce86d0bb042aff5834
503 lines
15 KiB
C
503 lines
15 KiB
C
/*
|
|
* Copyright (c) 2020 Darren Tucker <dtucker@openbsd.org>
|
|
* Copyright (c) 2024 Damien Miller <djm@mindrot.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <openbsd-compat/sys-tree.h>
|
|
|
|
#include <limits.h>
|
|
#include <netdb.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#include "addr.h"
|
|
#include "canohost.h"
|
|
#include "log.h"
|
|
#include "misc.h"
|
|
#include "srclimit.h"
|
|
#include "xmalloc.h"
|
|
#include "servconf.h"
|
|
#include "match.h"
|
|
|
|
static int max_children, max_persource, ipv4_masklen, ipv6_masklen;
|
|
static struct per_source_penalty penalty_cfg;
|
|
static char *penalty_exempt;
|
|
|
|
/* Per connection state, used to enforce unauthenticated connection limit. */
|
|
static struct child_info {
|
|
int id;
|
|
struct xaddr addr;
|
|
} *children;
|
|
|
|
/*
|
|
* Penalised addresses, active entries here prohibit connections until expired.
|
|
* Entries become active when more than penalty_min seconds of penalty are
|
|
* outstanding.
|
|
*/
|
|
struct penalty {
|
|
struct xaddr addr;
|
|
double expiry;
|
|
int active;
|
|
const char *reason;
|
|
RB_ENTRY(penalty) by_addr;
|
|
RB_ENTRY(penalty) by_expiry;
|
|
};
|
|
static int penalty_addr_cmp(struct penalty *a, struct penalty *b);
|
|
static int penalty_expiry_cmp(struct penalty *a, struct penalty *b);
|
|
RB_HEAD(penalties_by_addr, penalty) penalties_by_addr4, penalties_by_addr6;
|
|
RB_HEAD(penalties_by_expiry, penalty) penalties_by_expiry4, penalties_by_expiry6;
|
|
RB_GENERATE_STATIC(penalties_by_addr, penalty, by_addr, penalty_addr_cmp)
|
|
RB_GENERATE_STATIC(penalties_by_expiry, penalty, by_expiry, penalty_expiry_cmp)
|
|
static size_t npenalties4, npenalties6;
|
|
|
|
static int
|
|
srclimit_mask_addr(const struct xaddr *addr, int bits, struct xaddr *masked)
|
|
{
|
|
struct xaddr xmask;
|
|
|
|
/* Mask address off address to desired size. */
|
|
if (addr_netmask(addr->af, bits, &xmask) != 0 ||
|
|
addr_and(masked, addr, &xmask) != 0) {
|
|
debug3_f("%s: invalid mask %d bits", __func__, bits);
|
|
return -1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
srclimit_peer_addr(int sock, struct xaddr *addr)
|
|
{
|
|
struct sockaddr_storage storage;
|
|
socklen_t addrlen = sizeof(storage);
|
|
struct sockaddr *sa = (struct sockaddr *)&storage;
|
|
|
|
if (getpeername(sock, sa, &addrlen) != 0)
|
|
return 1; /* not remote socket? */
|
|
if (addr_sa_to_xaddr(sa, addrlen, addr) != 0)
|
|
return 1; /* unknown address family? */
|
|
return 0;
|
|
}
|
|
|
|
void
|
|
srclimit_init(int max, int persource, int ipv4len, int ipv6len,
|
|
struct per_source_penalty *penalty_conf, const char *penalty_exempt_conf)
|
|
{
|
|
int i;
|
|
|
|
max_children = max;
|
|
ipv4_masklen = ipv4len;
|
|
ipv6_masklen = ipv6len;
|
|
max_persource = persource;
|
|
penalty_cfg = *penalty_conf;
|
|
if (penalty_cfg.max_sources4 < 0 || penalty_cfg.max_sources6 < 0)
|
|
fatal_f("invalid max_sources"); /* shouldn't happen */
|
|
penalty_exempt = penalty_exempt_conf == NULL ?
|
|
NULL : xstrdup(penalty_exempt_conf);
|
|
RB_INIT(&penalties_by_addr4);
|
|
RB_INIT(&penalties_by_expiry4);
|
|
RB_INIT(&penalties_by_addr6);
|
|
RB_INIT(&penalties_by_expiry6);
|
|
if (max_persource == INT_MAX) /* no limit */
|
|
return;
|
|
debug("%s: max connections %d, per source %d, masks %d,%d", __func__,
|
|
max, persource, ipv4len, ipv6len);
|
|
if (max <= 0)
|
|
fatal_f("invalid number of sockets: %d", max);
|
|
children = xcalloc(max_children, sizeof(*children));
|
|
for (i = 0; i < max_children; i++)
|
|
children[i].id = -1;
|
|
}
|
|
|
|
/* returns 1 if connection allowed, 0 if not allowed. */
|
|
int
|
|
srclimit_check_allow(int sock, int id)
|
|
{
|
|
struct xaddr xa, xb;
|
|
int i, bits, first_unused, count = 0;
|
|
char xas[NI_MAXHOST];
|
|
|
|
if (max_persource == INT_MAX) /* no limit */
|
|
return 1;
|
|
|
|
debug_f("sock %d id %d limit %d", sock, id, max_persource);
|
|
if (srclimit_peer_addr(sock, &xa) != 0)
|
|
return 1;
|
|
bits = xa.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
if (srclimit_mask_addr(&xa, bits, &xb) != 0)
|
|
return 1;
|
|
|
|
first_unused = max_children;
|
|
/* Count matching entries and find first unused one. */
|
|
for (i = 0; i < max_children; i++) {
|
|
if (children[i].id == -1) {
|
|
if (i < first_unused)
|
|
first_unused = i;
|
|
} else if (addr_cmp(&children[i].addr, &xb) == 0) {
|
|
count++;
|
|
}
|
|
}
|
|
if (addr_ntop(&xa, xas, sizeof(xas)) != 0) {
|
|
debug3_f("addr ntop failed");
|
|
return 1;
|
|
}
|
|
debug3("%s: new unauthenticated connection from %s/%d, at %d of %d",
|
|
__func__, xas, bits, count, max_persource);
|
|
|
|
if (first_unused == max_children) { /* no free slot found */
|
|
debug3_f("no free slot");
|
|
return 0;
|
|
}
|
|
if (first_unused < 0 || first_unused >= max_children)
|
|
fatal("%s: internal error: first_unused out of range",
|
|
__func__);
|
|
|
|
if (count >= max_persource)
|
|
return 0;
|
|
|
|
/* Connection allowed, store masked address. */
|
|
children[first_unused].id = id;
|
|
memcpy(&children[first_unused].addr, &xb, sizeof(xb));
|
|
return 1;
|
|
}
|
|
|
|
void
|
|
srclimit_done(int id)
|
|
{
|
|
int i;
|
|
|
|
if (max_persource == INT_MAX) /* no limit */
|
|
return;
|
|
|
|
debug_f("id %d", id);
|
|
/* Clear corresponding state entry. */
|
|
for (i = 0; i < max_children; i++) {
|
|
if (children[i].id == id) {
|
|
children[i].id = -1;
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int
|
|
penalty_addr_cmp(struct penalty *a, struct penalty *b)
|
|
{
|
|
return addr_cmp(&a->addr, &b->addr);
|
|
/* Addresses must be unique in by_addr, so no need to tiebreak */
|
|
}
|
|
|
|
static int
|
|
penalty_expiry_cmp(struct penalty *a, struct penalty *b)
|
|
{
|
|
if (a->expiry != b->expiry)
|
|
return a->expiry < b->expiry ? -1 : 1;
|
|
/* Tiebreak on addresses */
|
|
return addr_cmp(&a->addr, &b->addr);
|
|
}
|
|
|
|
static void
|
|
expire_penalties_from_tree(double now, const char *t,
|
|
struct penalties_by_expiry *by_expiry,
|
|
struct penalties_by_addr *by_addr, size_t *npenaltiesp)
|
|
{
|
|
struct penalty *penalty, *tmp;
|
|
|
|
/* XXX avoid full scan of tree, e.g. min-heap */
|
|
RB_FOREACH_SAFE(penalty, penalties_by_expiry, by_expiry, tmp) {
|
|
if (penalty->expiry >= now)
|
|
break;
|
|
if (RB_REMOVE(penalties_by_expiry, by_expiry,
|
|
penalty) != penalty ||
|
|
RB_REMOVE(penalties_by_addr, by_addr,
|
|
penalty) != penalty)
|
|
fatal_f("internal error: %s penalty table corrupt", t);
|
|
free(penalty);
|
|
if ((*npenaltiesp)-- == 0)
|
|
fatal_f("internal error: %s npenalties underflow", t);
|
|
}
|
|
}
|
|
|
|
static void
|
|
expire_penalties(double now)
|
|
{
|
|
expire_penalties_from_tree(now, "ipv4",
|
|
&penalties_by_expiry4, &penalties_by_addr4, &npenalties4);
|
|
expire_penalties_from_tree(now, "ipv6",
|
|
&penalties_by_expiry6, &penalties_by_addr6, &npenalties6);
|
|
}
|
|
|
|
static void
|
|
addr_masklen_ntop(struct xaddr *addr, int masklen, char *s, size_t slen)
|
|
{
|
|
size_t o;
|
|
|
|
if (addr_ntop(addr, s, slen) != 0) {
|
|
strlcpy(s, "UNKNOWN", slen);
|
|
return;
|
|
}
|
|
if ((o = strlen(s)) < slen)
|
|
snprintf(s + o, slen - o, "/%d", masklen);
|
|
}
|
|
|
|
int
|
|
srclimit_penalty_check_allow(int sock, const char **reason)
|
|
{
|
|
struct xaddr addr;
|
|
struct penalty find, *penalty;
|
|
double now;
|
|
int bits, max_sources, overflow_mode;
|
|
char addr_s[NI_MAXHOST];
|
|
struct penalties_by_addr *by_addr;
|
|
size_t npenalties;
|
|
|
|
if (!penalty_cfg.enabled)
|
|
return 1;
|
|
if (srclimit_peer_addr(sock, &addr) != 0)
|
|
return 1;
|
|
if (penalty_exempt != NULL) {
|
|
if (addr_ntop(&addr, addr_s, sizeof(addr_s)) != 0)
|
|
return 1; /* shouldn't happen */
|
|
if (addr_match_list(addr_s, penalty_exempt) == 1) {
|
|
return 1;
|
|
}
|
|
}
|
|
now = monotime_double();
|
|
expire_penalties(now);
|
|
by_addr = addr.af == AF_INET ?
|
|
&penalties_by_addr4 : &penalties_by_addr6;
|
|
max_sources = addr.af == AF_INET ?
|
|
penalty_cfg.max_sources4 : penalty_cfg.max_sources6;
|
|
overflow_mode = addr.af == AF_INET ?
|
|
penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6;
|
|
npenalties = addr.af == AF_INET ? npenalties4 : npenalties6;
|
|
if (npenalties >= (size_t)max_sources &&
|
|
overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
|
|
*reason = "too many penalised addresses";
|
|
return 0;
|
|
}
|
|
bits = addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
memset(&find, 0, sizeof(find));
|
|
if (srclimit_mask_addr(&addr, bits, &find.addr) != 0)
|
|
return 1;
|
|
if ((penalty = RB_FIND(penalties_by_addr, by_addr, &find)) == NULL)
|
|
return 1; /* no penalty */
|
|
if (penalty->expiry < now) {
|
|
expire_penalties(now);
|
|
return 1; /* expired penalty */
|
|
}
|
|
if (!penalty->active)
|
|
return 1; /* Penalty hasn't hit activation threshold yet */
|
|
*reason = penalty->reason;
|
|
return 0;
|
|
}
|
|
|
|
static void
|
|
srclimit_early_expire_penalties_from_tree(const char *t,
|
|
struct penalties_by_expiry *by_expiry,
|
|
struct penalties_by_addr *by_addr, size_t *npenaltiesp, size_t max_sources)
|
|
{
|
|
struct penalty *p = NULL;
|
|
int bits;
|
|
char s[NI_MAXHOST + 4];
|
|
|
|
/* Delete the soonest-to-expire penalties. */
|
|
while (*npenaltiesp > max_sources) {
|
|
if ((p = RB_MIN(penalties_by_expiry, by_expiry)) == NULL)
|
|
fatal_f("internal error: %s table corrupt (find)", t);
|
|
bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
addr_masklen_ntop(&p->addr, bits, s, sizeof(s));
|
|
debug3_f("%s overflow, remove %s", t, s);
|
|
if (RB_REMOVE(penalties_by_expiry, by_expiry, p) != p ||
|
|
RB_REMOVE(penalties_by_addr, by_addr, p) != p)
|
|
fatal_f("internal error: %s table corrupt (remove)", t);
|
|
free(p);
|
|
(*npenaltiesp)--;
|
|
}
|
|
}
|
|
|
|
static void
|
|
srclimit_early_expire_penalties(void)
|
|
{
|
|
srclimit_early_expire_penalties_from_tree("ipv4",
|
|
&penalties_by_expiry4, &penalties_by_addr4, &npenalties4,
|
|
(size_t)penalty_cfg.max_sources4);
|
|
srclimit_early_expire_penalties_from_tree("ipv6",
|
|
&penalties_by_expiry6, &penalties_by_addr6, &npenalties6,
|
|
(size_t)penalty_cfg.max_sources6);
|
|
}
|
|
|
|
void
|
|
srclimit_penalise(struct xaddr *addr, int penalty_type)
|
|
{
|
|
struct xaddr masked;
|
|
struct penalty *penalty = NULL, *existing = NULL;
|
|
double now;
|
|
int bits, max_sources = 0, overflow_mode;
|
|
double penalty_secs;
|
|
char addrnetmask[NI_MAXHOST + 4];
|
|
const char *reason = NULL, *t;
|
|
size_t *npenaltiesp = NULL;
|
|
struct penalties_by_addr *by_addr = NULL;
|
|
struct penalties_by_expiry *by_expiry = NULL;
|
|
|
|
if (!penalty_cfg.enabled)
|
|
return;
|
|
if (penalty_exempt != NULL) {
|
|
if (addr_ntop(addr, addrnetmask, sizeof(addrnetmask)) != 0)
|
|
return; /* shouldn't happen */
|
|
if (addr_match_list(addrnetmask, penalty_exempt) == 1) {
|
|
debug3_f("address %s is exempt", addrnetmask);
|
|
return;
|
|
}
|
|
}
|
|
|
|
switch (penalty_type) {
|
|
case SRCLIMIT_PENALTY_NONE:
|
|
return;
|
|
case SRCLIMIT_PENALTY_CRASH:
|
|
penalty_secs = penalty_cfg.penalty_crash;
|
|
reason = "penalty: caused crash";
|
|
break;
|
|
case SRCLIMIT_PENALTY_AUTHFAIL:
|
|
penalty_secs = penalty_cfg.penalty_authfail;
|
|
reason = "penalty: failed authentication";
|
|
break;
|
|
case SRCLIMIT_PENALTY_NOAUTH:
|
|
penalty_secs = penalty_cfg.penalty_noauth;
|
|
reason = "penalty: connections without attempting authentication";
|
|
break;
|
|
case SRCLIMIT_PENALTY_INVALIDUSER:
|
|
penalty_secs = penalty_cfg.penalty_invaliduser;
|
|
reason = "penalty: attempted authentication by invalid user";
|
|
break;
|
|
case SRCLIMIT_PENALTY_REFUSECONNECTION:
|
|
penalty_secs = penalty_cfg.penalty_refuseconnection;
|
|
reason = "penalty: connection prohibited by RefuseConnection";
|
|
break;
|
|
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
|
|
penalty_secs = penalty_cfg.penalty_grace;
|
|
reason = "penalty: exceeded LoginGraceTime";
|
|
break;
|
|
default:
|
|
fatal_f("internal error: unknown penalty %d", penalty_type);
|
|
}
|
|
|
|
if (penalty_secs <= 0)
|
|
return;
|
|
|
|
bits = addr->af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
if (srclimit_mask_addr(addr, bits, &masked) != 0)
|
|
return;
|
|
addr_masklen_ntop(addr, bits, addrnetmask, sizeof(addrnetmask));
|
|
|
|
now = monotime_double();
|
|
expire_penalties(now);
|
|
by_expiry = addr->af == AF_INET ?
|
|
&penalties_by_expiry4 : &penalties_by_expiry6;
|
|
by_addr = addr->af == AF_INET ?
|
|
&penalties_by_addr4 : &penalties_by_addr6;
|
|
max_sources = addr->af == AF_INET ?
|
|
penalty_cfg.max_sources4 : penalty_cfg.max_sources6;
|
|
overflow_mode = addr->af == AF_INET ?
|
|
penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6;
|
|
npenaltiesp = addr->af == AF_INET ? &npenalties4 : &npenalties6;
|
|
t = addr->af == AF_INET ? "ipv4" : "ipv6";
|
|
if (*npenaltiesp >= (size_t)max_sources &&
|
|
overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
|
|
verbose_f("%s penalty table full, cannot penalise %s for %s", t,
|
|
addrnetmask, reason);
|
|
return;
|
|
}
|
|
|
|
penalty = xcalloc(1, sizeof(*penalty));
|
|
penalty->addr = masked;
|
|
penalty->expiry = now + penalty_secs;
|
|
penalty->reason = reason;
|
|
if ((existing = RB_INSERT(penalties_by_addr, by_addr,
|
|
penalty)) == NULL) {
|
|
/* penalty didn't previously exist */
|
|
if (penalty_secs > penalty_cfg.penalty_min)
|
|
penalty->active = 1;
|
|
if (RB_INSERT(penalties_by_expiry, by_expiry, penalty) != NULL)
|
|
fatal_f("internal error: %s penalty tables corrupt", t);
|
|
do_log2_f(penalty->active ?
|
|
SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE,
|
|
"%s: new %s %s penalty of %.3f seconds for %s", t,
|
|
addrnetmask, penalty->active ? "active" : "deferred",
|
|
penalty_secs, reason);
|
|
if (++(*npenaltiesp) > (size_t)max_sources)
|
|
srclimit_early_expire_penalties(); /* permissive */
|
|
return;
|
|
}
|
|
debug_f("%s penalty for %s %s already exists, %lld seconds remaining",
|
|
existing->active ? "active" : "inactive", t,
|
|
addrnetmask, (long long)(existing->expiry - now));
|
|
/* Expiry information is about to change, remove from tree */
|
|
if (RB_REMOVE(penalties_by_expiry, by_expiry, existing) != existing)
|
|
fatal_f("internal error: %s penalty table corrupt (remove)", t);
|
|
/* An entry already existed. Accumulate penalty up to maximum */
|
|
existing->expiry += penalty_secs;
|
|
if (existing->expiry - now > penalty_cfg.penalty_max)
|
|
existing->expiry = now + penalty_cfg.penalty_max;
|
|
if (existing->expiry - now > penalty_cfg.penalty_min &&
|
|
!existing->active) {
|
|
logit_f("%s: activating %s penalty of %.3f seconds for %s",
|
|
addrnetmask, t, existing->expiry - now, reason);
|
|
existing->active = 1;
|
|
}
|
|
existing->reason = penalty->reason;
|
|
free(penalty);
|
|
penalty = NULL;
|
|
/* Re-insert into expiry tree */
|
|
if (RB_INSERT(penalties_by_expiry, by_expiry, existing) != NULL)
|
|
fatal_f("internal error: %s penalty table corrupt (insert)", t);
|
|
}
|
|
|
|
static void
|
|
srclimit_penalty_info_for_tree(const char *t,
|
|
struct penalties_by_expiry *by_expiry, size_t npenalties)
|
|
{
|
|
struct penalty *p = NULL;
|
|
int bits;
|
|
char s[NI_MAXHOST + 4];
|
|
double now;
|
|
|
|
now = monotime_double();
|
|
logit("%zu active %s penalties", npenalties, t);
|
|
RB_FOREACH(p, penalties_by_expiry, by_expiry) {
|
|
bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
|
addr_masklen_ntop(&p->addr, bits, s, sizeof(s));
|
|
if (p->expiry < now)
|
|
logit("client %s %s (expired)", s, p->reason);
|
|
else {
|
|
logit("client %s %s (%.3f secs left)", s, p->reason,
|
|
p->expiry - now);
|
|
}
|
|
}
|
|
}
|
|
|
|
void
|
|
srclimit_penalty_info(void)
|
|
{
|
|
srclimit_penalty_info_for_tree("ipv4",
|
|
&penalties_by_expiry4, npenalties4);
|
|
srclimit_penalty_info_for_tree("ipv6",
|
|
&penalties_by_expiry6, npenalties6);
|
|
}
|