OpenSSH Introduces Options to Penalize Undesirable Behavior

by
janrinok
from SoylentNews on (#6NEJG)

upstart writes:

OpenSSH introduces options to penalize undesirable behavior:

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads,

List: openbsd-cvsSubject: CVS: cvs.openbsd.org: srcFrom: Damien Miller <djm () cvs ! openbsd ! orgDate: 2024-06-06 17:15:26CVSROOT:/cvsModule name:srcChanges by:djm@cvs.openbsd.org2024/06/06 11:15:26Modified files:usr.bin/ssh : misc.c misc.h monitor.c monitor_wrap.c servconf.c servconf.h srclimit.c srclimit.h sshd-session.c sshd.c sshd_config.5Log message:Add a facility to sshd(8) to penalise particular problematic clientbehaviours, controlled by two new sshd_config(5) options:PerSourcePenalties and PerSourcePenaltyExemptList.

When PerSourcePenalties are enabled, sshd(8) will monitor the exitstatus of its child pre-auth session processes. Through the exitstatus, it can observe situations where the session did notauthenticate as expected. These conditions include when the clientrepeatedly attempted authentication unsucessfully (possibly indicatingan attack against one or more accounts, e.g. password guessing), orwhen client behaviour caused sshd to crash (possibly indicatingattempts to exploit sshd).When such a condition is observed, sshd will record a penalty of someduration (e.g. 30 seconds) against the client's address. If this timeis above a minimum threshold specified by the PerSourcePenalties, thenconnections from the client address will be refused (along with anyothers in the same PerSourceNetBlockSizeCIDR range).Repeated offenses by the same client address will accrue greaterpenalties, up to a configurable maximum. A PerSourcePenaltyExemptListoption allows certain address ranges to be exempt from all penalties.We hope these options will make it significantly more difficult forattackers to find accounts with weak/guessable passwords or exploitbugs in sshd(8) itself.PerSourcePenalties is off by default, but we expect to enable itautomatically in the near future.

This new facility comes in addition to the already well known and loved pf.confstate tracking options, and is for now available only in OpenBSD-current, but is almost certainly to be available in the upcoming OpenBSD 7.6 release.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments