Date: Tue, 12 Nov 2019 15:18:31 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 241917] blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking Message-ID: <bug-241917-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241917 Bug ID: 241917 Summary: blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking Product: Base System Version: 12.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: sebastian.wyder@me.com blacklistd (or sshd) seems to not count failed sshd login attempts which fa= iled the reverse mapping check of sshd. As you can see by looking at the following examples, the failed login attem= pts from IP 171.251.29.248 that failed the reverse mapping check does not end u= p in blacklistd's table. Example from /var/log/auth.log: Nov 12 15:31:38 neptun sshd[7737]: Invalid user ching from 203.232.210.195 = port 45908 Nov 12 15:31:38 neptun sshd[7737]: Failed unknown for invalid user ching fr= om 203.232.210.195 port 45908 ssh2 Nov 12 15:31:38 neptun sshd[7737]: user NOUSER login class [preauth] Nov 12 15:31:38 neptun sshd[7737]: Received disconnect from 203.232.210.195 port 45908:11: Bye Bye [preauth] Nov 12 15:31:38 neptun sshd[7737]: Disconnected from invalid user ching 203.232.210.195 port 45908 [preauth] Nov 12 15:31:43 neptun sshd[7747]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed. Nov 12 15:31:48 neptun sshd[7747]: user root login class [preauth] Nov 12 15:31:48 neptun sshd[7747]: Connection closed by authenticating user root 171.251.29.248 port 55562 [preauth] Nov 12 15:44:25 neptun sshd[7917]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed. Nov 12 15:44:30 neptun sshd[7917]: user root login class [preauth] Nov 12 15:44:30 neptun sshd[7917]: Connection closed by authenticating user root 171.251.29.248 port 51998 [preauth] Nov 12 15:48:39 neptun sshd[7921]: reverse mapping checking getaddrinfo for r-dfa.uhu.es [150.214.168.161] failed. Nov 12 15:48:40 neptun sshd[7921]: user root login class [preauth] Nov 12 15:48:40 neptun sshd[7921]: Received disconnect from 150.214.168.161 port 43510:11: Normal Shutdown, Thank you for playing [preauth] Nov 12 15:48:40 neptun sshd[7921]: Disconnected from authenticating user ro= ot 150.214.168.161 port 43510 [preauth] Nov 12 15:52:47 neptun sshd[7925]: user root login class [preauth] Nov 12 15:52:48 neptun sshd[7925]: Received disconnect from 192.144.164.167 port 36350:11: Bye Bye [preauth] Nov 12 15:52:48 neptun sshd[7925]: Disconnected from authenticating user ro= ot 192.144.164.167 port 36350 [preauth] Nov 12 15:54:46 neptun sshd[7927]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed. Nov 12 15:54:48 neptun sshd[7927]: Invalid user test from 171.251.29.248 po= rt 18776 Nov 12 15:54:48 neptun sshd[7927]: Failed unknown for invalid user test from 171.251.29.248 port 18776 ssh2 Nov 12 15:54:48 neptun sshd[7927]: user NOUSER login class [preauth] Nov 12 15:54:48 neptun sshd[7927]: Connection closed by invalid user test 171.251.29.248 port 18776 [preauth] Nov 12 16:08:18 neptun sshd[7980]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed. Nov 12 16:08:24 neptun sshd[7980]: Invalid user tmax from 171.251.29.248 po= rt 63488 Nov 12 16:08:24 neptun sshd[7980]: Failed unknown for invalid user tmax from 171.251.29.248 port 63488 ssh2 Nov 12 16:08:24 neptun sshd[7980]: user NOUSER login class [preauth] Nov 12 16:08:25 neptun sshd[7980]: Connection closed by invalid user tmax 171.251.29.248 port 63488 [preauth] Example output from `blacklistctl dump -a`: address/ma:port id nfail last access 83.142.110.41/32:22 1/3 2019/11/12 14:40:44 203.232.210.195/32:22 1/3 2019/11/12 15:31:38 14.225.3.47/32:22 1/3 2019/11/12 14:47:11 106.54.95.188/32:22 1/3 2019/11/12 14:16:38 2.139.215.255/32:22 1/3 2019/11/12 14:29:34 164.132.81.106/32:22 1/3 2019/11/12 15:06:29 192.144.164.167/32:22 1/3 2019/11/12 15:52:47 51.83.78.56/32:22 1/3 2019/11/12 14:23:44 103.76.22.115/32:22 1/3 2019/11/12 14:49:15 81.246.190.95/32:22 1/3 2019/11/12 15:22:22 150.214.168.161/32:22 1/3 2019/11/12 15:48:40 175.213.185.129/32:22 1/3 2019/11/12 14:49:57 36.66.149.211/32:22 1/3 2019/11/12 15:06:02 68.251.142.26/32:22 1/3 2019/11/12 13:54:48 108.161.129.25/32:22 2/3 2019/11/12 14:52:51 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241917-227>