Mercurial > dropbear
comparison default_options.h @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Wed, 15 Feb 2017 13:53:04 +0100 |
parents | c0f12eaf95c9 |
children | ed20d805b332 |
comparison
equal
deleted
inserted
replaced
1789:249681d9ecda | 1790:42745af83b7d |
---|---|
254 | 254 |
255 /* Default maximum number of failed authentication tries (server option) */ | 255 /* Default maximum number of failed authentication tries (server option) */ |
256 /* -T server option overrides */ | 256 /* -T server option overrides */ |
257 #define MAX_AUTH_TRIES 10 | 257 #define MAX_AUTH_TRIES 10 |
258 | 258 |
259 /* Delay introduced before closing an unauthenticated session (seconds) */ | |
260 #define UNAUTH_CLOSE_DELAY 30 | |
261 | |
259 /* The default file to store the daemon's process ID, for shutdown | 262 /* The default file to store the daemon's process ID, for shutdown |
260 scripts etc. This can be overridden with the -P flag */ | 263 scripts etc. This can be overridden with the -P flag */ |
261 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" | 264 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" |
262 | 265 |
263 /* The command to invoke for xauth when using X11 forwarding. | 266 /* The command to invoke for xauth when using X11 forwarding. |