[PATCH] Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire
patrickdepinguin at gmail.com
Wed Jan 20 20:15:57 AWST 2021
Hello,
El mar, 22 dic 2020 a las 15:52, Thomas De Schampheleire
(<patrickdepinguin at gmail.com>) escribió:
>
> # HG changeset patch
> # User Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
> # Date 1487163184 -3600
> # Wed Feb 15 13:53:04 2017 +0100
> # Node ID ef434ebf63f7a935e9530bb2cd2e8d0463a5217a
> # Parent 249681d9ecda383b7241b3cc360884093015dede
> Introduce extra delay before closing unauthenticated sessions
>
> To make it harder for attackers, introduce a delay to keep an
> unauthenticated session open a bit longer, thus blocking a connection
> slot until after the delay.
>
> Without this, while there is a limit on the amount of attempts an attacker
> can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
> handle one attempt is still short and thus for each of the allowed parallel
> attempts many attempts can be chained one after the other. The attempt rate
> is then:
> "MAX_UNAUTH_PER_IP / <process time of one attempt>".
>
> With the delay, this rate becomes:
> "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
>
> diff --git a/default_options.h b/default_options.h
> --- a/default_options.h
> +++ b/default_options.h
> @@ -256,6 +256,9 @@ Homedir is prepended unless path begins
> /* -T server option overrides */
> #define MAX_AUTH_TRIES 10
>
> +/* Delay introduced before closing an unauthenticated session (seconds) */
> +#define UNAUTH_CLOSE_DELAY 30
> +
> /* The default file to store the daemon's process ID, for shutdown
> scripts etc. This can be overridden with the -P flag */
> #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
> diff --git a/svr-session.c b/svr-session.c
> --- a/svr-session.c
> +++ b/svr-session.c
> @@ -215,6 +215,7 @@ void svr_dropbear_exit(int exitcode, con
> char fullmsg[300];
> char fromaddr[60];
> int i;
> + int add_delay = 0;
>
> #if DROPBEAR_PLUGIN
> if ((ses.plugin_session != NULL)) {
> @@ -247,13 +248,33 @@ void svr_dropbear_exit(int exitcode, con
> snprintf(fullmsg, sizeof(fullmsg),
> "Exit before auth%s: (user '%s', %u fails): %s",
> fromaddr, ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
> + add_delay = 1;
> } else {
> /* before userauth */
> snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", fromaddr, exitmsg);
> + add_delay = 1;
> }
>
> dropbear_log(LOG_INFO, "%s", fullmsg);
>
> + /* To make it harder for attackers, introduce a delay to keep an
> + * unauthenticated session open a bit longer, thus blocking a connection
> + * slot until after the delay. Without this, while there is a limit on
> + * the amount of attempts an attacker can make at the same time
> + * (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt
> + * is still short and thus for each of the allowed parallel attempts
> + * many attempts can be chained one after the other. The attempt rate is
> + * then:
> + * "MAX_UNAUTH_PER_IP / <process time of one attempt>".
> + * With the delay, this rate becomes:
> + * "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
> + */
> + if ((add_delay != 0) && (UNAUTH_CLOSE_DELAY > 0)) {
> + TRACE(("svr_dropbear_exit: start delay of %d seconds", UNAUTH_CLOSE_DELAY));
> + sleep(UNAUTH_CLOSE_DELAY);
> + TRACE(("svr_dropbear_exit: end delay of %d seconds", UNAUTH_CLOSE_DELAY));
> + }
> +
> #if DROPBEAR_VFORK
> /* For uclinux only the main server process should cleanup - we don't want
> * forked children doing that */
>
Any comments on this patch?
Thanks,
Thomas
More information about the Dropbear
mailing list