From owner-freebsd-questions@freebsd.org Thu Nov 16 07:27:23 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E4D9DC10DF for ; Thu, 16 Nov 2017 07:27:23 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wr0-x22a.google.com (mail-wr0-x22a.google.com [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 089BF709E3; Thu, 16 Nov 2017 07:27:23 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wr0-x22a.google.com with SMTP id k61so22530141wrc.4; Wed, 15 Nov 2017 23:27:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6me66daE1+KP1p51r/ZyKtS79R5fVpIiTPl5c981VJs=; b=XKeBc7djAMLs3GedyOSqPH3cLy3BWfGiCAAof53s2+BtXsFGk8YYgCIo/pst2Urhho uDMC0LSk3qX3Zwx23ZeT8IC5q9oaONfSiefMvZ9NWk5C7coclSPbhAmwbti3jpG+FZ5s sAgH/EyMxdChIIjhfnD6Zn3ACLK9IMq0Kv//zCg57KmD7y9JJdMrpVIRAF1+t4XZYDhN mM3r7yTI7tEkTSbqloz/tUY5xuTK4mqGCpHYDYzHZPgxn8ZMnuIVcSjX13vbb0kRFIRJ EzKrqmCBfox/MGUk9J5maW6tpCOXS09Rkopwwh4bbL7K11b75V5BJ6mT/ws6EEp3VKO4 IWCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6me66daE1+KP1p51r/ZyKtS79R5fVpIiTPl5c981VJs=; b=qi6hvyeit/ijrrVErqSc201MPyBGpPPiYEJLT2P6utuqVxJfUxBBiulrzRMM3ymK94 5TsMhsSHh7+bZgurpQGOHClBUyMjWH3sXBfvtCmyBqdLsa2nH/EYZAqCLmz+Ja+FlRud zll5M/fbKbcBpWImDyu03hkYytTolApgZTssDvXZjJ1s6XiZltWtdKmE6sNTaNTAWVDD 43UpLk6uz5W2l9X3DN4ZHQeTnkRKrxwALWJ/1l5EfuEWeQwRC8Xk7P5qzqbGdpZxuH7P Xaw6csgh6RsN02NXZQKbpzjosJnslXGlgvfjmP9XG7KJrJiim5vK7d+BzwfNDj8PaGRK Qpjg== X-Gm-Message-State: AJaThX7elG7xd7jBSQ3wcbz4lajWb8lfr1KkClmJeCyIhCefa3qQSLFV ALsHty3nn4Yii4Ndz5rhSkAW6gAcn7Dk1SHKOCeTFgib X-Google-Smtp-Source: AGs4zMZsQtNLPJI+VzuDImJUKqAcpecFCqG6vrbOwSpUbp3LVbnSBoN3FI8tpC7jYXAibt+JkEntKpR9/zV0TA/BhI0= X-Received: by 10.223.132.129 with SMTP id 1mr566620wrg.136.1510817241343; Wed, 15 Nov 2017 23:27:21 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.125.8 with HTTP; Wed, 15 Nov 2017 23:27:20 -0800 (PST) In-Reply-To: References: <20171106235944.U9710@sola.nimnet.asn.au> <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> <20171108012948.A9710@sola.nimnet.asn.au> <20171111213759.I72828@sola.nimnet.asn.au> <20171115185528.V72828@sola.nimnet.asn.au> From: Cos Chan Date: Thu, 16 Nov 2017 08:27:20 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: freebsd-questions , Michael Ross , Kurt Lidl Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2017 07:27:23 -0000 >> >> > > You might instead try MaxAuthTries 4 .. sshd_config(5) says: >> > > >> > > MaxAuthTries >> > > Specifies the maximum number of authentication attempts >> > > permitted >> > > per connection. Once the number of failures reaches >> half this >> > > value, additional failures are logged. The default is >> 6. >> > > >> > > Half of 3 as an integer is only 1, but half of 4 is 2. See if it >> helps? >> >> > I didnt change the MaxAuthTries, since I found something interesting >> from >> > the different logs concerning that issue: >> > >> > >From blacklistctl dump: >> > >> > $ sudo blacklistctl dump >> > address/ma:port id nfail last access >> > 78.203.146.34/32:22 0/1 1970/01/01 01:00:00 >> > 195.225.116.21/32:22 0/1 1970/01/01 01:00:00 >> > 123.31.26.123/32:22 0/1 1970/01/01 01:00:00 >> > 112.148.101.13/32:22 0/1 1970/01/01 01:00:00 >> > 93.23.6.18/32:22 0/1 1970/01/01 01:00:00 >> > 5.102.197.124/32:22 0/1 1970/01/01 01:00:00 >> > 193.154.127.32/32:22 0/1 1970/01/01 01:00:00 >> > 113.232.216.41/32:22 0/1 1970/01/01 01:00:00 >> > >> > >From sshd log: >> > >> > Nov 10 17:57:41 res sshd[49839]: Invalid user pi from 193.154.127.32 >> > Nov 10 17:57:41 res sshd[49840]: Invalid user pi from 193.154.127.32 >> > Nov 10 17:57:41 res sshd[49840]: input_userauth_request: invalid user >> pi >> > [preauth] >> > Nov 10 17:57:41 res sshd[49839]: input_userauth_request: invalid user >> pi >> > [preauth] >> >> Note the two different PIDs on these, indicating sshd handling two >> separate connections. From above, MaxAuthTries limits the maximum >> number of attempts _per_connection_. So each of these indicate only one >> (or possibly two, as again from above, only those greater than half of >> the maximum (here 3/2 = 1) are supposedly logged by sshd). >> >> I don't know just what sshd reports to blacklistd in what circumstances, >> nor how those are reflected in blacklistd's logging .. Kurt likely does. >> >> > Nov 11 03:50:47 res sshd[57896]: Invalid user support from >> 123.31.26.123 >> > Nov 11 03:50:47 res sshd[57896]: input_userauth_request: invalid user >> > support [preauth] >> > Nov 11 03:50:47 res sshd[57896]: error: Received disconnect from >> > 123.31.26.123 port 55811:3: com.jcraft.jsch.JSchException: Auth fail >> > [preauth] >> >> That's on one PID, ie one connection. Less than three failures on it. >> >> > Nov 11 03:50:49 res sshd[57898]: Invalid user admin from 123.31.26.123 >> > Nov 11 03:50:49 res sshd[57898]: input_userauth_request: invalid user >> admin >> > [preauth] >> > Nov 11 03:50:49 res sshd[57898]: error: Received disconnect from >> > 123.31.26.123 port 57823:3: com.jcraft.jsch.JSchException: Auth fail >> > [preauth] >> >> Ditto. >> >> > Nov 11 03:50:51 res sshd[57900]: Invalid user admin from 123.31.26.123 >> > Nov 11 03:50:51 res sshd[57900]: input_userauth_request: invalid user >> admin >> > [preauth] >> > Nov 11 03:50:51 res sshd[57900]: error: Received disconnect from >> > 123.31.26.123 port 59819:3: com.jcraft.jsch.JSchException: Auth fail >> > [preauth] >> >> Another. >> >> > Nov 11 03:50:53 res sshd[57902]: Invalid user ubnt from 123.31.26.123 >> > Nov 11 03:50:53 res sshd[57902]: input_userauth_request: invalid user >> ubnt >> > [preauth] >> > Nov 11 03:50:53 res sshd[57902]: error: Received disconnect from >> > 123.31.26.123 port 61795:3: com.jcraft.jsch.JSchException: Auth fail >> > [preauth] >> >> Again. >> >> > Nov 11 03:50:55 res sshd[57904]: Invalid user PlcmSpIp from >> 123.31.26.123 >> > Nov 11 03:50:55 res sshd[57904]: input_userauth_request: invalid user >> > PlcmSpIp [preauth] >> > Nov 11 03:50:55 res sshd[57904]: error: Received disconnect from >> > 123.31.26.123 port 61920:3: com.jcraft.jsch.JSchException: Auth fail >> > [preauth] >> >> Again. >> >> > Nov 11 03:50:57 res sshd[57906]: Invalid user admin from 123.31.26.123 >> > Nov 11 03:50:57 res sshd[57906]: input_userauth_request: invalid user >> admin >> > [preauth] >> > Nov 11 03:50:57 res sshd[57906]: error: Received disconnect from >> > 123.31.26.123 port 61949:3: com.jcraft.jsch.JSchException: Auth fail >> > [preauth] >> >> And yet another. There's no indication that sshd is - or is supposed to >> be - keeping track of separate connections from the same IP address. >> > > I agree that sshd should not keep track the IP, but blacklistd should do. > > >> >> > I see 2 problems: >> > >> > Problem 1: >> > The IP 193.154.127.32 didn't reach sshd maximum authentication (=3), >> it >> > tried only 2 times. >> >> Perhaps rather, only once or twice on each of two separate connections? >> >> > But in my opinion it should be recorded to blacklistd as 2/1 instead >> of 0/1. >> >> I gather that it would take 3 failed logins on any _one_ connection to >> report it as _one_ failure to blacklistd. >> > > is this reasonable? in case one IP was using thousands connections which > failed once per connection, then it will never be banned by blacklistd > (unless the maxauth of sshd is 1)? > In that case I test sshd MaxAuthTries=1 and blacklistd nfail=1 and still get wired entry. $ sudo blacklistctl dump address/ma:port id nfail last access 57.83.1.58/32:22 0/1 1970/01/01 01:00:00 $ sudo cat auth.log | grep 57.83.1.58 Nov 16 07:04:17 res sshd[31112]: Invalid user pi from 57.83.1.58 Nov 16 07:04:17 res sshd[31113]: Invalid user pi from 57.83.1.58 Nov 16 07:04:17 res sshd[31112]: Connection closed by 57.83.1.58 port 51140 [preauth] Nov 16 07:04:17 res sshd[31113]: Connection closed by 57.83.1.58 port 51144 [preauth] $ cat blacklistd-helper.log | grep 'Nov 16' ... Thu Nov 16 07:01:28 CET 2017 /usr/libexec/blacklistd-helper run add blacklistd tcp 120.237.88.186 32 22 Thu Nov 16 07:14:05 CET 2017 /usr/libexec/blacklistd-helper run add blacklistd tcp 139.59.111.224 32 22 No action from blacklistd-helper? how could that entry be added to database? no logs concerning from blacklistd either $ cat blacklistd.log | grep 'Nov 16' ... Nov 16 07:01:28 res blacklistd[23916]: blocked 120.237.88.186/32:22 for -1 seconds Nov 16 07:14:05 res blacklistd[23916]: blocked 139.59.111.224/32:22 for -1 seconds > > >> >> -- with kind regards