diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | servconf.c | 8 | ||||
| -rw-r--r-- | sshd_config | 4 | ||||
| -rw-r--r-- | sshd_config.5 | 6 |
4 files changed, 15 insertions, 9 deletions
| @@ -22,6 +22,12 @@ | |||
| 22 | - djm@cvs.openbsd.org 2013/01/27 10:06:12 | 22 | - djm@cvs.openbsd.org 2013/01/27 10:06:12 |
| 23 | [krl.c] | 23 | [krl.c] |
| 24 | actually use the xrealloc() return value; spotted by xi.wang AT gmail.com | 24 | actually use the xrealloc() return value; spotted by xi.wang AT gmail.com |
| 25 | - dtucker@cvs.openbsd.org 2013/02/06 00:20:42 | ||
| 26 | [servconf.c sshd_config sshd_config.5] | ||
| 27 | Change default of MaxStartups to 10:30:100 to start doing random early | ||
| 28 | drop at 10 connections up to 100 connections. This will make it harder | ||
| 29 | to DoS as CPUs have come a long way since the original value was set | ||
| 30 | back in 2000. Prompted by nion at debian org, ok markus@ | ||
| 25 | 31 | ||
| 26 | 20130211 | 32 | 20130211 |
| 27 | - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old | 33 | - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old |
diff --git a/servconf.c b/servconf.c index 21b371c84..b2a60fd6c 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -256,11 +256,11 @@ fill_default_server_options(ServerOptions *options) | |||
| 256 | if (options->gateway_ports == -1) | 256 | if (options->gateway_ports == -1) |
| 257 | options->gateway_ports = 0; | 257 | options->gateway_ports = 0; |
| 258 | if (options->max_startups == -1) | 258 | if (options->max_startups == -1) |
| 259 | options->max_startups = 10; | 259 | options->max_startups = 100; |
| 260 | if (options->max_startups_rate == -1) | 260 | if (options->max_startups_rate == -1) |
| 261 | options->max_startups_rate = 100; /* 100% */ | 261 | options->max_startups_rate = 30; /* 30% */ |
| 262 | if (options->max_startups_begin == -1) | 262 | if (options->max_startups_begin == -1) |
| 263 | options->max_startups_begin = options->max_startups; | 263 | options->max_startups_begin = 10; |
| 264 | if (options->max_authtries == -1) | 264 | if (options->max_authtries == -1) |
| 265 | options->max_authtries = DEFAULT_AUTH_FAIL_MAX; | 265 | options->max_authtries = DEFAULT_AUTH_FAIL_MAX; |
| 266 | if (options->max_sessions == -1) | 266 | if (options->max_sessions == -1) |
diff --git a/sshd_config b/sshd_config index 3d35bef02..9cd2fddce 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: sshd_config,v 1.88 2012/10/30 21:29:55 djm Exp $ | 1 | # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ |
| 2 | 2 | ||
| 3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
| 4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
| @@ -109,7 +109,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. | |||
| 109 | #ClientAliveCountMax 3 | 109 | #ClientAliveCountMax 3 |
| 110 | #UseDNS yes | 110 | #UseDNS yes |
| 111 | #PidFile /var/run/sshd.pid | 111 | #PidFile /var/run/sshd.pid |
| 112 | #MaxStartups 10 | 112 | #MaxStartups 10:30:100 |
| 113 | #PermitTunnel no | 113 | #PermitTunnel no |
| 114 | #ChrootDirectory none | 114 | #ChrootDirectory none |
| 115 | #VersionAddendum none | 115 | #VersionAddendum none |
diff --git a/sshd_config.5 b/sshd_config.5 index d2913c33f..cfa480697 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.155 2013/01/18 08:00:49 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ |
| 37 | .Dd $Mdocdate: January 18 2013 $ | 37 | .Dd $Mdocdate: February 6 2013 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -820,7 +820,7 @@ SSH daemon. | |||
| 820 | Additional connections will be dropped until authentication succeeds or the | 820 | Additional connections will be dropped until authentication succeeds or the |
| 821 | .Cm LoginGraceTime | 821 | .Cm LoginGraceTime |
| 822 | expires for a connection. | 822 | expires for a connection. |
| 823 | The default is 10. | 823 | The default is 10:30:100. |
| 824 | .Pp | 824 | .Pp |
| 825 | Alternatively, random early drop can be enabled by specifying | 825 | Alternatively, random early drop can be enabled by specifying |
| 826 | the three colon separated values | 826 | the three colon separated values |