1 files changed, 57 insertions, 0 deletions
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
new file mode 100644
index 000000000..87e690bd1
--- /dev/null
+++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
+Description: Change default of MaxStartups to 10:30:100
+ This causes sshd to start doing random early drop at 10 connections up to
+ 100 connections.  This will make it harder to DoS as CPUs have come a long
+ way since the original value was set back in 2000.
+Author: Darren Tucker
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
+Bug-Debian: http://bugs.debian.org/700102
+Forwarded: not-needed
+Last-Update: 2013-02-08
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -264,11 +264,11 @@
+        if (options->gateway_ports == -1)
+                options->gateway_ports = 0;
+        if (options->max_startups == -1)
+-               options->max_startups = 10;
+               options->max_startups = 100;
+        if (options->max_startups_rate == -1)
+-               options->max_startups_rate = 100;               /* 100% */
+               options->max_startups_rate = 30;                /* 30% */
+        if (options->max_startups_begin == -1)
+-               options->max_startups_begin = options->max_startups;
+               options->max_startups_begin = 10;
+        if (options->max_authtries == -1)
+                options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+        if (options->max_sessions == -1)
+Index: b/sshd_config
+===================================================================
+--- a/sshd_config
+++ b/sshd_config
+@@ -108,7 +108,7 @@
+ #ClientAliveCountMax 3
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
+#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -781,7 +781,7 @@
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
+The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values

diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch new file mode 100644 index 000000000..87e690bd1 --- /dev/null +++ b/debian/patches/max-startups-default.patch
@@ -0,0 +1,57 @@
	1	Description: Change default of MaxStartups to 10:30:100
	2	This causes sshd to start doing random early drop at 10 connections up to
	3	100 connections. This will make it harder to DoS as CPUs have come a long
	4	way since the original value was set back in 2000.
	5	Author: Darren Tucker
	6	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
	7	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
	8	Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
	9	Bug-Debian: http://bugs.debian.org/700102
	10	Forwarded: not-needed
	11	Last-Update: 2013-02-08
	12
	13	Index: b/servconf.c
	14	===================================================================
	15	--- a/servconf.c
	16	+++ b/servconf.c
	17	@@ -264,11 +264,11 @@
	18	if (options->gateway_ports == -1)
	19	options->gateway_ports = 0;
	20	if (options->max_startups == -1)
	21	- options->max_startups = 10;
	22	+ options->max_startups = 100;
	23	if (options->max_startups_rate == -1)
	24	- options->max_startups_rate = 100; /* 100% */
	25	+ options->max_startups_rate = 30; /* 30% */
	26	if (options->max_startups_begin == -1)
	27	- options->max_startups_begin = options->max_startups;
	28	+ options->max_startups_begin = 10;
	29	if (options->max_authtries == -1)
	30	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
	31	if (options->max_sessions == -1)
	32	Index: b/sshd_config
	33	===================================================================
	34	--- a/sshd_config
	35	+++ b/sshd_config
	36	@@ -108,7 +108,7 @@
	37	#ClientAliveCountMax 3
	38	#UseDNS yes
	39	#PidFile /var/run/sshd.pid
	40	-#MaxStartups 10
	41	+#MaxStartups 10:30:100
	42	#PermitTunnel no
	43	#ChrootDirectory none
	44	#VersionAddendum none
	45	Index: b/sshd_config.5
	46	===================================================================
	47	--- a/sshd_config.5
	48	+++ b/sshd_config.5
	49	@@ -781,7 +781,7 @@
	50	Additional connections will be dropped until authentication succeeds or the
	51	.Cm LoginGraceTime
	52	expires for a connection.
	53	-The default is 10.
	54	+The default is 10:30:100.
	55	.Pp
	56	Alternatively, random early drop can be enabled by specifying
	57	the three colon separated values