From 57beeaa6b23799ef7986a16bfc81b2de84a00aa8 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 8 Feb 2013 21:07:09 +0000 Subject: CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups to 10:30:100 (closes: #700102). --- debian/patches/max-startups-default.patch | 57 +++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 58 insertions(+) create mode 100644 debian/patches/max-startups-default.patch (limited to 'debian/patches') diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch new file mode 100644 index 000000000..87e690bd1 --- /dev/null +++ b/debian/patches/max-startups-default.patch @@ -0,0 +1,57 @@ +Description: Change default of MaxStartups to 10:30:100 + This causes sshd to start doing random early drop at 10 connections up to + 100 connections. This will make it harder to DoS as CPUs have come a long + way since the original value was set back in 2000. +Author: Darren Tucker +Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 +Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 +Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 +Bug-Debian: http://bugs.debian.org/700102 +Forwarded: not-needed +Last-Update: 2013-02-08 + +Index: b/servconf.c +=================================================================== +--- a/servconf.c ++++ b/servconf.c +@@ -264,11 +264,11 @@ + if (options->gateway_ports == -1) + options->gateway_ports = 0; + if (options->max_startups == -1) +- options->max_startups = 10; ++ options->max_startups = 100; + if (options->max_startups_rate == -1) +- options->max_startups_rate = 100; /* 100% */ ++ options->max_startups_rate = 30; /* 30% */ + if (options->max_startups_begin == -1) +- options->max_startups_begin = options->max_startups; ++ options->max_startups_begin = 10; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; + if (options->max_sessions == -1) +Index: b/sshd_config +=================================================================== +--- a/sshd_config ++++ b/sshd_config +@@ -108,7 +108,7 @@ + #ClientAliveCountMax 3 + #UseDNS yes + #PidFile /var/run/sshd.pid +-#MaxStartups 10 ++#MaxStartups 10:30:100 + #PermitTunnel no + #ChrootDirectory none + #VersionAddendum none +Index: b/sshd_config.5 +=================================================================== +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -781,7 +781,7 @@ + Additional connections will be dropped until authentication succeeds or the + .Cm LoginGraceTime + expires for a connection. +-The default is 10. ++The default is 10:30:100. + .Pp + Alternatively, random early drop can be enabled by specifying + the three colon separated values diff --git a/debian/patches/series b/debian/patches/series index cb6be9a28..efb2c5432 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -27,6 +27,7 @@ shell-path.patch dnssec-sshfp.patch auth-log-verbosity.patch mention-ssh-keygen-on-keychange.patch +max-startups-default.patch # Versioning package-versioning.patch -- cgit v1.2.3