From owner-freebsd-bugs@freebsd.org Wed Feb 27 01:52:38 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F144150B8A8 for ; Wed, 27 Feb 2019 01:52:38 +0000 (UTC) (envelope-from laszlo@karolyi.hu) Received: from ksol.io (mail.ksol.io [IPv6:2a01:4f8:13a:509::22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E760E86310 for ; Wed, 27 Feb 2019 01:52:36 +0000 (UTC) (envelope-from laszlo@karolyi.hu) Received: from Laszlos-MBP.localdomain (x4e374d91.dyn.telefonica.de [78.55.77.145]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: laszlo@karolyi.hu) by ksol.io (Postfix) with ESMTPSA id D73115640 for ; Wed, 27 Feb 2019 02:52:33 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=karolyi.hu; s=default; t=1551232353; bh=0otY50C+8GkrB2VQ/YfOrDiL2ZiMUs+7WicH0L8J8lw=; h=To:From:Subject:Date; b=f+I5CQj4mR/z5peM7baDP1wOBG21Q8N48rD/QIhoUDSZ4xCiYaiIgdD7bfUp1bn6Y UnRTGXE2njMGHMXyy1aUyOeYErd5AT/O3UZJqD3NXvgFfasqLd0Z3IMPxWVr2XsLXJ ADkdN2a34OqIIPzrDVe8BqC49RLG79XjEG+t2IMqbstl+5OhiAVRf3l5AUCMIPCGIV H4yQfbVTtEf5lLTpezrgz6B/94OnpwoVY6PXiGEDMFCx10M/FbFXcbmQIRfLg7PSSI yTvWWTPYqAC4MwnyRizH5KmQsKZiwgT7QN6MAriaYGk2gWeOHeEAuOTMP838PxNhkL OIC/zNNQyhUiQ== To: freebsd-bugs@freebsd.org From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= Openpgp: preference=signencrypt Autocrypt: addr=laszlo@karolyi.hu; prefer-encrypt=mutual; keydata= mQINBFkmCgUBEADDLqo9DxWDSivEEmI/bPwwT0nAzUH2sNfVMroOr5E999dkiAiXV0N6Yk1f GjqX6oZcQNRK4dSds6T7RjLwkyUtomzt0YOJdUsBB6Z067YoPBGl2N/TBd9KKVxPeo6Am1ct jmoQjqCuXPHdqht+At43Kko4/oJwI452n8uv+VpZNk3pIp38bvXvYDSRdrFHogfDw+qCvCDg LKLvClmneWe0ZEScdAdv+PHJAIqki3zOrOJtuggVuGv4jCrhxQa8fLI6DDqNuAR3+uiy/XUw P1WSEnJxGlGlJijqkXy9C+6R5w1Tiv2/K9QSXBeBbJE30FPQGOde4Qb7Klldgh2TjOIQ3WdU 8ni+0Dft/jpR9uQq/g1m/yDZfizBlFD/8Lj9ZaZTUm8AnSuI7oyYQrUBvqbto/ylM2oCKFlb swnpI7dndGL5Ao9QJ1QrBSDxqdoz4l8I+GZAgP5jMHrwGhv90oIVn3WgTu/vta5o8k5ruaR2 SiVDB380CZsAHkRx05tDzctLUCwZ+RO8LdOMSf5nUfv+w7EGEXvFJdgBIVgwMeZWXnBmsnzE B7iW/rtQR3eM0IV+ojzkmS8AQTricmuACqUKq0AAILaVmQ3zIWETcGCRGjyQ7KcuJTZ95E21 vKZQrgAk1/Sc1xnKEpFNfsrraCzVHiey3SUJmke8HNQ20RZ/KQARAQABtCVMw6FzemzDsyBL w6Fyb2x5aSA8bGFzemxvQGthcm9seWkuaHU+iQJZBBMBCABDAhsDBwsJCAcDAgEGFQgCCQoL BBYCAwECHgECF4ACGQEWIQQkMGzVGjgidiCL+0ItyvJeVXNb/gUCWwqLJAUJBagwGwAKCRAt yvJeVXNb/mo3D/95dpQVOvqlAFJOct8H/IHlV+2415AGCpfYCyFPM1ygt9W3SevCJE45TSXC LblgkrCMqZaoSx4Q2FT8CezspdPxpSPS160PYqujZdow+epnijjwLV89uYVD2OQ1LJVvZKwJ P+szTGh3utyAfiErRdgYLVpFJY6e8iY3kp6C/XX1vIqgl4FDsNYjUtn23Ffefqac7eWhrDGC WJov2uyrXNMoxKphYXHRbkKbUaUpi2/8NNzjUN04NJS13x4q5AIg/Nj407l6gk7ePvRjqnzO dt2Hb3KA77qeLgneNDUPqF3ho2WWJdMkLe6YGFykk8dvOTOnTycMwFnnhLKfCAZiSbwq9pht gy7e5SIblWemLMBvm21Hg1oRS6ROdhBsnyCw00qAmCds+Lc896aOyf6Q0Tml9Rq60QpanYoR /6EWbJ+/eNoLPa61jvdRvSoefqJ6GFRftHncYLy0ktoW+DUImtMDbIpvxrEYuvOGCX7mV6fd 7VDuDNzo4gISyycz9DouZKcr+Eyo2PGWUAZ+bz5eWfWrcx+9vC/NMECXSUPFFVzPkf894dZx N6ThgY4aAgOG0VxwVnBV2a3iyRDxOGbzNE4gWtrbxgKYU+aMiT6OUpPkKw1dAxeQHL8ZYtpK TU5K3Q/5vaHgILym/kkZf+kHTImrHsWpLkEz0zKooHv27g2EXLkCDQRZJgoFARAAxQ1swbfe UbAZNEf4a5INynrnAWNw/KtKCbUqHvH7zglejQMFORfX1PMP92B66YnJu5vX+axr6Fmcom7q /xQqeaLV3QScloolKkGGX1mxLJs49wD/DTRLsi5tq1yhP8JZiTSUHXdt7pYnG/h1OZRtWPfe NGL06bRdhpS0pFGOU1+WLCCHx8hy+BOcP1DfXNgEA2RhGhpB+AK80VLF84fCQ+HtajU1LNEo E72fE/3lc4YvpynvaxmuDNjeG6y1sAVj6zASLUPPE7VxorOIh65B8xz4zsmvMXF2duUTacPC eFoEr2xcWssxm3K+Nobt4PzbN4+H/3vAhH8XN1BVYfS4m8ndH9nr38ZrfrjCgdg9opi8gEGj bXbuhnkTzGJbu27tK+RE0sBRbguUhmOprBydqOR5mVZTUnuab/WZCNn2Re/zbC0hDW7xYfBi LhomQWfaGl5Af0vLRvudae9oLU9dTTysyghpsgNjaS40mOBy7oLwsnnHNfctdhLoXN9LVHu2 3UYoySB/apJV7p33S1BD4OclW9Mxplctoq9BZpFu3hSo2NmCpY2eD2V0KDgr04XL9Atdl2VU pw+s0OT79EVCjcOyPCdneUXPyHsA0CJ0QDcWI0cN0bi7CSHJL59D3TRbjZFMJ/NnMQ/N6CqO cxYo7NZWN+APLfIMbiLsypMFMbcAEQEAAYkCPAQYAQgAJgIbDBYhBCQwbNUaOCJ2IIv7Qi3K 8l5Vc1v+BQJbJAbQBQkFqKjLAAoJEC3K8l5Vc1v+EB4P/ictIUg64TJvmEb6JDTbuVE9p3oa UuSsAuvqM68WGVfc5ZUe/3VSyNCOfP2bL9pCyHpqewL0uSHi89K26u3VNrNaU1jsrh8SNJG8 vrJ7eUmuBH1QoEf7u6f/mjzBODLVYnq2BddPMLKtfgNNTM6HCrX4qRlwj6qbRRbsGuBZPIRQ C04u6CCXseI1z6cKWS8DcyWRLfCk3K1aYzP39xTBBHNX7TV9Bb/FbogUxjQK3D3USxmKqBlG 20FUYRX/qTwxxh/Tvme3eUV58amkgSpoCW4ftjM+ieAnhx0zzmFc1MaegiRSovndTux/P10M 7mWV9NeIWP1YGgd38lf2W+RYJt1K0KOhZXLTAuSXLvtz+twSZA/qoPpGcYR+NZzHJPCvfAh9 pQQGkBrpCgSmm2xkyIbP53l4W7WWMn92mDEzHQLsn59Lb9xsFCOIrVZxo4DgS01bUvhfEG30 Pv4KaSbVTwO4oLKmUj+0gjy4i7Xj9ENY4Yyxe94joXda6mzXKNrRk59BZgfaFG1zj+FHLbKT UdpgBdlYCOlgODL9KateS5UN0cu5oYdl45kheLPYKhGs9knZzpuHJX1VXiRzQWTNLhH7hwYP t6DR/2u8b8M+1Qw/RkY6h1A9VR8eMAGbHsN8818AzleZyfaoYp/n1fVujb5gXoG8XlWLboVr ia1euoIR Subject: Blacklistd not recognizing probing attemtps Message-ID: Date: Wed, 27 Feb 2019 02:52:32 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS" X-Rspamd-Queue-Id: E760E86310 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=karolyi.hu header.s=default header.b=f+I5CQj4 X-Spamd-Result: default: False [-6.27 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[karolyi.hu:+]; MX_GOOD(-0.01)[mail.ksol.io]; NEURAL_HAM_SHORT(-0.91)[-0.913,0]; SIGNED_PGP(-2.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[145.77.55.78.zen.spamhaus.org : 127.0.0.11]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; IP_SCORE(-0.95)[ipnet: 2a01:4f8::/29(-2.48), asn: 24940(-2.25), country: DE(-0.01)]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[karolyi.hu:s=default]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-bugs@freebsd.org]; DMARC_NA(0.00)[karolyi.hu]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 01:52:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS Content-Type: multipart/mixed; boundary="syftUZkuy2BygRnWNEx7pfPurAg61WhQ5"; protected-headers="v1" From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= To: freebsd-bugs@freebsd.org Message-ID: Subject: Blacklistd not recognizing probing attemtps --syftUZkuy2BygRnWNEx7pfPurAg61WhQ5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Hey guys, I'm on 12.0-RELEASE-p3 and I have configured blacklistd with sshd to lock out those random IPs that are probing my server. The problem is, I noticed that in many cases, blacklistd does not put the offending IP on its list. I've contacted Christos Zoulas in email to see if he has anything to tell about it, and after putting blacklistd in debug mode and reproducing the issue, he suggested to contact you with the it. So here it is. I'll paste a couple lines from the sshd log, I get these, which aren't registered for some reason: Feb 27 00:47:55 ksol sshd[35453]: Invalid user mythtv from 118.151.209.119 port 50560 Feb 27 00:47:55 ksol sshd[35453]: Failed unknown for invalid user mythtv from 118.151.209.119 port 50560 ssh2 Feb 27 00:47:55 ksol sshd[35453]: user NOUSER login class=C2=A0 [preauth]= Feb 27 00:58:37 ksol sshd[72748]: Connection closed by 115.231.239.155 port 59107 [preauth] Feb 27 00:59:41 ksol sshd[75022]: user sshd login class=C2=A0 [preauth] Feb 27 00:59:41 ksol sshd[75022]: Connection closed by authenticating user sshd 175.197.206.221 port 40517 [preauth] Feb 27 01:18:17 ksol sshd[97108]: Invalid user user1 from 86.241.250.150 port 36452 Feb 27 01:18:17 ksol sshd[97108]: Failed unknown for invalid user user1 from 86.241.250.150 port 36452 ssh2 Feb 27 01:18:17 ksol sshd[97108]: user NOUSER login class=C2=A0 [preauth]= Feb 27 01:18:17 ksol sshd[97108]: Connection closed by invalid user user1 86.241.250.150 port 36452 [preauth] Feb 27 01:39:51 ksol sshd[33033]: Invalid user ubnt from 213.120.170.34 port 58208 Feb 27 01:39:51 ksol sshd[33033]: Failed unknown for invalid user ubnt from 213.120.170.34 port 58208 ssh2 Feb 27 01:39:51 ksol sshd[33033]: user NOUSER login class=C2=A0 [preauth]= Feb 27 01:39:52 ksol sshd[33033]: Connection closed by invalid user ubnt 213.120.170.34 port 58208 [preauth] Feb 27 02:01:57 ksol sshd[98410]: Invalid user leo from 70.180.210.136 port 36757 Feb 27 02:01:57 ksol sshd[98410]: Failed unknown for invalid user leo from 70.180.210.136 port 36757 ssh2 Feb 27 02:01:57 ksol sshd[98410]: user NOUSER login class=C2=A0 [preauth]= Feb 27 02:01:57 ksol sshd[98410]: Connection closed by invalid user leo 70.180.210.136 port 36757 [preauth] Feb 27 02:05:28 ksol sshd[51390]: reverse mapping checking getaddrinfo for rev-13-246-20.isp3.alsatis.net [37.1.246.13] failed. Feb 27 02:05:33 ksol sshd[51390]: Invalid user alarm from 37.1.246.13 port 54636 Feb 27 02:05:33 ksol sshd[51390]: Failed unknown for invalid user alarm from 37.1.246.13 port 54636 ssh2 Feb 27 02:05:33 ksol sshd[51390]: user NOUSER login class=C2=A0 [preauth]= Feb 27 02:05:33 ksol sshd[51390]: Connection closed by invalid user alarm 37.1.246.13 port 54636 [preauth] Out of all these IPs, only the first was registered in blacklistd's inner list. When someone tries to use keyboard-interactive auth and that fails, that seems to get registered. These attempts above on the other hand, do not, or very rarely. We looked at the FreeBSD source and it seems the blacklistd patch was done by Kurt Lidl: https://github.com/freebsd/freebsd/blob/master/contrib/blacklist/diff/ssh= =2Ediff https://github.com/freebsd/freebsd/blob/master/crypto/openssh/sshd.c Can someone forward this email to him, or is anybody able to help me here= ? Cheers, -- L=C3=A1szl=C3=B3 K=C3=A1rolyi https://linkedin.com/in/karolyi --syftUZkuy2BygRnWNEx7pfPurAg61WhQ5-- --PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJDBs1Ro4InYgi/tCLcryXlVzW/4FAlx17WEACgkQLcryXlVz W/6zsw/6A0Q0i4fVnrB6oDx3hrpD8JtDfbtoHHgR/QPs0xvaEECIhxsiaONK6Elv GSMpHriWlgTx9vVoTy4xWHSuk7NHCrmeyUaPzO3mf9zARI1F2FOY+irLuPFdMcGX gfh8kYPVUHe6VI0yo5Ui2aryVJNfvogVxkvTgSrpdp+az9mvij88g/3bV+WGqxo8 g9FSPbwIJK+Haw0w+gJ08XJO/RngsSAGvFlJEfAslpaIrDgIFW3LuPntQpQ+TWSn kr90OGwwIIfuwkXbQDL+UwRzepvy/jTgVIsp+ur2ftwuICqMfQjfQrpz4K+4a+Ow jKKSczQTpvS8KenEQP7x78gWUGmdGfrQEI9uBPUgMXVbPLEIH8LThAsA7aw36yEs MKI4LNGW43Vm6zYQ11tnYz8HCnuPeKvDmcmKYocUrtlSMZAg6CFZO6sdD7WE3mTq uuc9kEkctqmh2a8uTjiSk96Zkyd+11HNI5U7U1Wukd3riQTWzDM+Y0oYb6kyBtMZ jBilKRZ7zIcck7vC0Bg2nJgmMoZ1VleJP8vVXG2ibciAcijCt5zvAFhz252DNTay 2vWlTQ7GmhxM+LxJztMVnESA3uaSjuNjvdVVdZAktw4uA0CLYkCNMbQxqQBPPwz7 EuWu5dK+czPmOyJHKcUXdTGrPL6qF3aYv0dUcLsNM74rF6uyzro= =FDjM -----END PGP SIGNATURE----- --PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS--