Date: Wed, 19 Apr 2023 05:41:51 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 270928] Blacklistd does not handle SSHD failed logins Message-ID: <bug-270928-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270928 Bug ID: 270928 Summary: Blacklistd does not handle SSHD failed logins Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: bc979@lafn.org Created attachment 241577 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D241577&action= =3Dedit A patch to blacklistd to have BL_BADUSER handled as BL_ADD Blacklistd with SSHD does not work properly. To create the problem, config= ure /etc/ssh/sshd.config to enable UseBlacklistd. Then start Blacklistd. Use = ssh from another system to login with an invalid id and password. Try again.=20 Blacklistd should have locked you out. Check with "blacklistctl dump -a"=20 There will not be any entries. The problem is that sshd uses the type BL_BADUSER when calling blacklistd. The code in blacklistd.c says that this type is "ignore for now". The BL_BADUSER type was supposed to immediately block the IP on the first t= ime regardless of the configuration in /etc/blacklistd.conf. However, at this = time it never does anything. As a result the calling IP is never blocked. The simple solution is the attached patch. However, after some consideration, I believe that BL_BADUSER should always be handled as BL_ADD. The purpose of= the configuration file is to give the system administrator control over when callers are blocked. By sshd using BL_BADUSER, the configuration in the co= nfig file is never used. That will certainly confuse the administrator and remo= ves control over blocking from the administrator to the programmer who develops= the code that calls blacklistd. Having sshd block the IP after the first invalid id or password is not a gr= eat idea. A simple fat fingered user will be blocked for 24 hours after the fi= rst login attempt. It is not uncommon for there to be typos in login attempts.= =20 That is a severe penalty for the user. There is no way for the administrat= or to remove the entry from blacklistd (presuming the user can actually contact the administrator). The administrator can only remove the IP address from = the pf blocking table. That will "work" until something causes blacklistd to be restarted. On restart, blacklistd will reenable the block in pf. I believe that blacklistd should not override the administrator's configuration. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-270928-227>