In the meantime (while things are being worked and decided on on the

OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources.  In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
   So here we are, rate-limiting.  The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
   More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least.  This is, essentially, a
stopgap solution;  however, it is a properly implemented and documented
one, and has an easily modifiable framework.

1 files changed, 138 insertions, 0 deletions

diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ap
new file mode 100644
index 000000000000..101b456fbafc
--- /dev/null
+++ b/security/openssh/files/patch-ap
@@ -0,0 +1,138 @@
+--- servconf.c.orig	Sun Dec  5 01:48:12 1999
++++ servconf.c	Sun Dec  5 01:57:57 1999
+@@ -63,6 +63,8 @@
+ 	options->num_deny_users = 0;
+ 	options->num_allow_groups = 0;
+ 	options->num_deny_groups = 0;
++	options->connections_per_period = 0;
++	options->connections_period = 0;
+ }
+ 
+ void 
+@@ -161,7 +163,7 @@
+ 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+ 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
+ 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+-	sIgnoreUserKnownHosts
++	sIgnoreUserKnownHosts, sConnectionsPerPeriod
+ } ServerOpCodes;
+ 
+ /* Textual representation of the tokens. */
+@@ -209,6 +211,7 @@
+ 	{ "denyusers", sDenyUsers },
+ 	{ "allowgroups", sAllowGroups },
+ 	{ "denygroups", sDenyGroups },
++	{ "connectionsperperiod", sConnectionsPerPeriod },
+ 	{ NULL, 0 }
+ };
+ 
+@@ -270,7 +273,11 @@
+ 					filename, linenum);
+ 				exit(1);
+ 			}
+-			value = atoi(cp);
++			if (sscanf(cp, " %d ", &value) != 1) {
++				fprintf(stderr, "%s line %d: invalid integer value.\n",
++					filename, linenum);
++				exit(1);
++			}
+ 			if (*intptr == -1)
+ 				*intptr = value;
+ 			break;
+@@ -466,63 +473,65 @@
+ 
+ 		case sAllowUsers:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_allow_users >= MAX_ALLOW_USERS) {
+-					fprintf(stderr, "%s line %d: too many allow users.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_allow_users >= MAX_ALLOW_USERS)
++					fatal("%.200s line %d: too many allow users.\n", filename,
++					    linenum);
+ 				options->allow_users[options->num_allow_users++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
+ 		case sDenyUsers:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_deny_users >= MAX_DENY_USERS) {
+-					fprintf(stderr, "%s line %d: too many deny users.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_deny_users >= MAX_DENY_USERS)
++					fatal("%.200s line %d: too many deny users.\n", filename,
++					    linenum);
+ 				options->deny_users[options->num_deny_users++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
+ 		case sAllowGroups:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
+-					fprintf(stderr, "%s line %d: too many allow groups.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
++					fatal("%.200s line %d: too many allow groups.\n", filename,
++					    linenum);
+ 				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
+ 		case sDenyGroups:
+ 			while ((cp = strtok(NULL, WHITESPACE))) {
+-				if (options->num_deny_groups >= MAX_DENY_GROUPS) {
+-					fprintf(stderr, "%s line %d: too many deny groups.\n",
+-						filename, linenum);
+-					exit(1);
+-				}
++				if (options->num_deny_groups >= MAX_DENY_GROUPS)
++					fatal("%.200s line %d: too many deny groups.\n", filename,
++					    linenum);
+ 				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
+ 			}
+ 			break;
+ 
++		case sConnectionsPerPeriod:
++			cp = strtok(NULL, WHITESPACE);
++			if (cp == NULL)
++				fatal("%.200s line %d: missing (>= 0) number argument.\n",
++					filename, linenum);
++			if (sscanf(cp, " %u/%u ", &options->connections_per_period,
++			    &options->connections_period) != 2)
++				fatal("%.200s line %d: invalid numerical argument(s).\n",
++				    filename, linenum);
++			if (options->connections_per_period != 0 &&
++			    options->connections_period == 0)
++				fatal("%.200s line %d: invalid connections period.\n",
++				    filename, linenum);
++			break;
++
+ 		default:
+-			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
++			fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
+ 				filename, linenum, cp, opcode);
+-			exit(1);
+-		}
+-		if (strtok(NULL, WHITESPACE) != NULL) {
+-			fprintf(stderr, "%s line %d: garbage at end of line.\n",
+-				filename, linenum);
+-			exit(1);
+ 		}
++		if (strtok(NULL, WHITESPACE) != NULL)
++			fatal("%.200s line %d: garbage at end of line.\n", filename,
++			    linenum);
+ 	}
+ 	fclose(f);
+-	if (bad_options > 0) {
+-		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
++	if (bad_options > 0)
++		fatal("%.200s: terminating, %d bad configuration options\n",
+ 			filename, bad_options);
+-		exit(1);
+-	}
+ }